{ "statistics": { "processing": [ { "name": "CAPE", "time": 2.106 }, { "name": "AnalysisInfo", "time": 0.036 }, { "name": "BehaviorAnalysis", "time": 0.038 }, { "name": "Debug", "time": 0.002 }, { "name": "NetworkAnalysis", "time": 0.046 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_ntcreatethreadex", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_setunhandledexceptionfilter", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "hardware_id_profiling", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_scsi", "time": 0.0 }, { "name": "antivm_generic_services", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vbox_window", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "amsi_enumeration", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "suspicious_ntdll_disk_load", "time": 0.0 }, { "name": "direct_syscall_evasion", "time": 0.0 }, { "name": "unbacked_syscall_execution", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "privilege_elevation_check", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "dump_lsa_via_windows_error_reporting", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "query_fips_reconnaissance", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "debugs_self", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "deletes_shadow_copies", "time": 0.0 }, { "name": "deletes_system_state_backup", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_mappeddrives_autodisconnect", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "dllload_suspicious_directory", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "install_kernel_driver_service", "time": 0.0 }, { "name": "malformed_dll_loading", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "registers_vectored_exception_handler", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_module_stomping_probing", "time": 0.0 }, { "name": "injection_needextension", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_rwx", "time": 0.0 }, { "name": "section_mapping_injection", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "apc_injection", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "interprocess_comms_mutex", "time": 0.0 }, { "name": "interprocess_comms_named_pipe", "time": 0.0 }, { "name": "interprocess_comms_shared_memory", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "unbacked_exception_filter", "time": 0.0 }, { "name": "unbacked_process_mitigation_alteration", "time": 0.0 }, { "name": "thread_unbacked_memory", "time": 0.0 }, { "name": "unbacked_api_resolution", "time": 0.0 }, { "name": "unbacked_dotnet_execution", "time": 0.0 }, { "name": "unbacked_library_load", "time": 0.0 }, { "name": "unbacked_memory_apc_execution", "time": 0.0 }, { "name": "unbacked_memory_protection_alteration", "time": 0.0 }, { "name": "unbacked_mutex_creation", "time": 0.0 }, { "name": "unbacked_process_creation", "time": 0.0 }, { "name": "unbacked_veh_registration", "time": 0.0 }, { "name": "unbacked_com_instantiation", "time": 0.0 }, { "name": "unbacked_crypto_operations", "time": 0.0 }, { "name": "unbacked_delay_execution", "time": 0.0 }, { "name": "unbacked_file_dropping", "time": 0.0 }, { "name": "unbacked_process_enumeration", "time": 0.0 }, { "name": "unbacked_registry_modification", "time": 0.0 }, { "name": "unbacked_service_manipulation", "time": 0.0 }, { "name": "unbacked_token_manipulation", "time": 0.0 }, { "name": "unbacked_wmi_execution", "time": 0.0 }, { "name": "unbacked_bind_shell", "time": 0.0 }, { "name": "unbacked_dns_resolution", "time": 0.0 }, { "name": "unbacked_memory_network_connection", "time": 0.0 }, { "name": "unbacked_named_pipe_creation", "time": 0.0 }, { "name": "unbacked_useragent_retrieval", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "modify_zoneid_ads", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "etherhiding_smart_contract_call", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "decompress_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "ransomware_iocp_asynchronous_encryption", "time": 0.0 }, { "name": "kernel_crypto_driver_abuse", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_extension_hijack", "time": 0.0 }, { "name": "mass_file_modification_access", "time": 0.0 }, { "name": "ransomware_attribute_stripping", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "mass_ransom_note_drop", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_system_procname", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "mmc_dll_script_load", "time": 0.0 }, { "name": "mmc_dotnet_load", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "byod_loldrivers_match", "time": 0.0 }, { "name": "byod_novel_driver", "time": 0.0 }, { "name": "byod_post_load_exploitation", "time": 0.0 }, { "name": "byod_driver_service_install", "time": 0.0 }, { "name": "com_spawned_process", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.002 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.001 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "pe_deep_entrypoint", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "pe_cert_invalid_signature", "time": 0.0 }, { "name": "pe_cert_self_signed", "time": 0.0 }, { "name": "pe_cert_suspicious_issuer", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "sigma_events", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "browser_credential_theft_headless", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.002 }, { "name": "antianalysis_detectreg", "time": 0.006 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.003 }, { "name": "antiav_detectreg", "time": 0.027 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.001 }, { "name": "antivm_generic_bios", "time": 0.0 }, { "name": "antivm_generic_diskreg", "time": 0.001 }, { "name": "antivm_hyperv_keys", "time": 0.001 }, { "name": "antivm_parallels_keys", "time": 0.001 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.0 }, { "name": "antivm_vbox_files", "time": 0.001 }, { "name": "antivm_vbox_keys", "time": 0.003 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.0 }, { "name": "antivm_vmware_keys", "time": 0.002 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.001 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.002 }, { "name": "ketrican_regkeys", "time": 0.001 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "executes_headless_browser", "time": 0.0 }, { "name": "suspicious_browser_arguments", "time": 0.001 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.001 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.001 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "folder_enumeration", "time": 0.0 }, { "name": "discover_registry_mount_points", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "infostealer_bitcoin", "time": 0.002 }, { "name": "infostealer_ftp", "time": 0.01 }, { "name": "infostealer_im", "time": 0.006 }, { "name": "infostealer_mail", "time": 0.002 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.001 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.001 }, { "name": "network_dns_paste_site", "time": 0.001 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.001 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.005 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.004 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.003 }, { "name": "ransomware_files", "time": 0.004 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.001 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.01 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.002 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.002 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "ssstik.io__jeznions_.mp4", "path": "/opt/CAPEv2/storage/binaries/4de4ed46b08ce490fbb479eaf5d8550037e4a1a523edb4798958f71d89307490", "guest_paths": "", "size": 620848, "crc32": "5E402106", "md5": "08e72659f2482b1ddd681c929b4625bb", "sha1": "6a6565ce90e3761e3c255316407594eb86772644", "sha256": "4de4ed46b08ce490fbb479eaf5d8550037e4a1a523edb4798958f71d89307490", "sha512": "bee5e2e0dbaf14c9b9a2fe1c655ecab9b419384aae744ddf3bbecd5e8fc4ae212e2d630439da8cd08f9e11e343e0b61413b9f1a7f4cacd16591916dc7012706d", "rh_hash": null, "ssdeep": "12288:yYzKG0u0gt+sbPBdLCWjmVUXxHRvUJESwjC2c+a1WFsk0qKAXJnZ47YOh3:P3Ggt+sbBdeWFhl0ESie8F0qK+nXOh3", "type": "ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T168D4230AE7A143C8C509333D22F51288A199E788DE3FCFE792891771523A255AD77EF1", "sha3_384": "a107ef3e051fc9c79d6b7d04ca771aa02ab264b373e86e549eb0da88c1907d4562cb234e14ff4b486e55b981243a74c6", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e", "data": null, "strings": [ "=VBtN~6", "12tFK7E!", "q3C\\t", "\\R;a]", "m6Y#S2", "P\\:f>", "*^(R'qT", "?GIV\"", "4glTHk", "B$6 5j", "W7,5'", "8we>s", "hrtVq(", "oInh@0", "JVy>+Z#3", "/wzU]", "a\"`'RU", ">$mJf", "5*gDC", "]:2vR.", "=i3Ks", "`08-1", "%T{u'", "S$|tC", "%?]]y", "',[y5'", "5iR&q", "h/0`~", "RFhjY", "uG,o>", "VYV'j", "??8}s", ")MZ+'ie", "d]*zU", "-p|ml", "B7~c ", "o;?]l", "zw#mM", "I*0|P", "<]u(Ad", "cV*#W", "w(B9ZQ", "PViHB$", "lEP@!", "[ZJvQ", "2s+RN?", "8xIoT", "'h:G,", "f4S'ArK", "WR+#i2", "}|6yA%", " [w{*", "`uJDa", "]a4!X", "mL9&%i", "XN2PC", "~T|(C", "%a]0X", "WJXZC", "*DW9I", "`EaD|", "216H8P+nZ", "`u{5H", "_J2mf]", "$/]kN", "24E_91", "K Aq:j", "2,'o@Y#", "Hd%jM", "ZEdC1", "x4^Ws", "I=\"x-", "N;p%2p", "7K7k)", "nEhR=", "+ks:F}\\", "Y!sQpE,k", "3J~P9", "GN@=&R@", "b].'J", "ppHc%", "J2Q1G", "5:19/", "2N=jq", "{K3$;", "[kHp& u", "gg!A#", "e|IBYyRf", "@$b[u7", "+{8{5", "r-m&j", "^>m^zn", "y >2(m", "{/wY\\", "3minf", "\"D|mL'P", ")D\"h+", "*2:N<", "w%[96", "Ukt-$", "$% F~Sd", "_]8`k`", "$g@=gIk", "Fh81*ES", "4`mw8", "Uf-@W?", "MeYOeqK", "5esds", "Fn\"w'F8$C", "A;5o#", "sokj}", "jEw9V", "k_tTv", "%\" JQ", "Q9EM=", "#(ZxA", "X07SA", "#IhsT", "Zn3T\\{", "m=Rh@Q", "`8P)58", "xH)A[", "zb{)/", "D\\L${n", "[-{rc~", "_^K8a7", "1[sD\"", "erAB", "xq0Pw", "Q6#1C", "u|h{V)", "\\.$2]D", "oHE!i", "pz}hRl", "?t+X_PN?", "4@~C_Pkx*", "ff\"&]", "1[B4E+", "08SCT", "r9W>*P", "`Nsi1U|", "4`g-E", "Q1?rd", "eV;!~", "tlY-?ly", "qy|rK", "g$1(P(", "ySXo2z", "G8\"Jg'h", "_uEj,;", "2MDAB", "WBlsr", ":#Y}5\"", "R{FJ]", "{3'/-", "iu!8e", "'URwP", "flI;}/", "Na?/9", "v%UE2", "QT#(l", "ykn9;", "l&<7/P@", "g*IBAxT", "S]hNN&", "R6Sr3", "Hj+*,", "#:@,s", "\"e ,B", "!h>BM", "O .V#", "vKV-:)t}", ",sD6$&", "mXqbB", "n%~6-", "J@lY_)", "O~Q[:tl", "n.%([", "1#j&Ny0", "Z[14H", "cFR]C", "'Byy$", "|$:te", "$?J4[c`", "0x,*)", "eSJ@-0V", "k#;#4", "3#LGg", "Dv'U~", "f.4]`", "vU", "yC(N", "wn,$q,", "I|yn*", " 8Z''", "[3H9", "\"6{I)", "?mjH}E", "Hctts", "'Fs7\"-", "d+7F<7", "ezFK/", "HaGJ\"0", "i^&+g%@", "EAZ,/", "d-g#:", "ZM~Q>0b", "mp@MG", "(}VO1", "f8gbG", "#%#:eG", "J6^YCTe", "z4L{Y", "b>*5}", "2OQuo#", "ZR]$Y", "{O*J*", "]ukC-", "e4j+VH", "T}U!g9", "/:~.ptn", "o'gU'?\\", "rA ~Ut", "gzhk7S", "BsDPH|", "ganKr", "K-#N*7", "z67cdJ", "Yg\"a+", "7ZUW4a", "[CDS`", "REH\"`e", ":Xf-4", "t]@/8N", ">->$r", "{;Ku7", "Td(egFR", "C?)\\J+ ", "+5p3~r~[e'", "W2ol#", "Hgm*T", "D$2zj", "Ajrd<(", ")Fz .", ":v`k!l", "?^ESf", "h4gog", "?iRoH", "F{N/l", "_NZxa", "B=Hrt,", "5fF9\\", "9!d+\\", "6bq", "t}I#*", "\\PM", "[7$R|", "{nEb;", "R(oNJG", "~7`:{]hw", "xf%c6", "1:\"Bp", "%K7rs", "Sx5A:", ":~0@+", "``\"U.-", "F-n_`", "{#G^5", "|U_te", "}_iQx", "JgbuZ6<", "v$@rNP", "3^m2j|", "s+N0Q", "WOwh)", "w|lD!4", "lmvhd", "6:(NU", "V#:4>", "./h}O", "rwa6]", "#$GK3", "PQ[J\"", " A;}]N", "mueq[n", "?pL3^", "k|yTx", "|nz FV", "^u\"j;", "Q+QFh", "]LCmW", "5WFQU", "#OXLw", "cU#nc{]+", "|HREo/", "5OPit_", "B5Qd<", "i=czWI*", "ce)X}B", "\\pmUC", "M;!3W40", "DS@)]N", "ywDeM#?", "\"V_C aS4", "SZQeQ", ">tx>:y", "+@Nks", "r=W$rT", "C2\\\\h", "WFw~p", "wYH[R", "j%h75E", "*NEGe7JV", "iyYeZ", "+Sz+D", "m7XpP", "yL7vA", "GZM?H", "yn!\\^A`?", "MM-y'", "SK6~d", "\\4VyA", "s6;xe\\", ":avcC", "`|RJIb", "Q[WQkMe", "f/2lY", ",S&m_V", "[/(i9", "$2/:5", "V=~dpz", "HnIl-", "r4)O,", ":\\@ G", "Vqy_e", "5HA9)a", "&<9\\d", "B(:D/}", "9Y\"\\%", "tMH~U|g-", "#ru2b", "fkY??W", "_2jOT", "1o|39", ";IK7U", "B}>l:", "x6V1x", "sbN:r", "Pm6m7]", "BnGei*", "-iT/F$7K#\\", "D!LY\\E", "(F\\5u3k", "8eHCN", "wz>^U", "TwG!q", "6Fe4qE", "1lF\\v", "*\"RuD", "<$sito", "3n2OB5f", "b/%9%", "l(vWU%", "NV^94", "px|Oe", "%/;oI", "B#_}A", "nKRy>", ",.*US", "C,>t]", "Djn:d", "NqqA}c4", "`!,R}", "4e`Lz", "&E^+pE_1", "0W&04", "k]o5-G", ",~/ sb*c", "iuB^5", "?\"`< ", "@?8-,", "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ^", "%Mz-H", ";9`wrQ", "Mfg'Mz", ">no", "W7C5HE", "*r'e~", "h~'*B", "wr#u2*", "}'U_y", "H-[^%6v", "Xj| p", "@JT/=", "p-F&M", "#!?ME", ">nQS5j", "$Y/?$1?", "@lld3", "q&U'$`", "[#L)f", "%?s,Euv", "S[/'I", "8%/k[", "1.w@{", "3@yN\\7", "D\\Gac[!", "!/:$/v", "HgbD7", "Y2X*R", "LAWwq", "~qn 8x", "m|T&+r6~", "%Lv29", "|.T?Y", "YBa[P", "go>\\;", "\"%gDup", "M$X}@G", "6gg#t", "-W;Lf", "P-3E'", "G=$HW", "LMq?5", "e6O~.", "lj{On", "akvpS", "=T((f", "Y&i]w", "ljA/dA1", "dK{\\:", "z!.*Z", "{=r%|V", "KFy.h", "]R*Du_", "@&j%PV", "n@M3;", "9Kk./", "VA$, ", "!eTNs", "\"un-Q", "2t,E];", "A-CfXv", "T:\")b!b", "i[5xstO", ". o?#", "CAkPAw", "Q\\\\4w", "(oMpQ", "H[gW;(", "r:<-U", "bl$7y", "-Ly#Iu5l", "+ZFT!", "1%u=YpE", "K8Yf9", "Ifg_;n", "B<|U_X", "Jj{nD", "BWF5t", "v=d0^H", "]}.!}X", "S x}UB", "B(m\"\\", "D2wvT", "Vr\"JZ", "y^}kt5", "cFo9[p", "CmRTM}", "EbQXH6", "r!_a.", "PqpyS", "}/tS$9", "8:HU@", "`h@{>", "[I#Xvi", "{!qp ", "uV;Wp", "z#rnE", "M#&,t_", "IER4)", "\\0H8^", "2169q", "^p%o`", "#:K5S", "yEwv;Y", "(];(\\", "N:XQW", "ABx*o", "'pS)*", "`s+k`", "!sxc4", "mL{s|", "D,n44", "[\\5:i{", "t#HPj", "J/~BDj", "+'~5{", "8bQ$=b\"P", "VD!Wr$", "kV@Ul", "r4OFM", ";VI!9", "XUIdA", "-2BsP", ">Zi5k", "Nf_{i", ".j6:t1", ")1}06D", "O[e8NX", "];Kyy", "H\"7'|", ",XOFTD", ".:].;", "i4x'ih\"m", "<(_,8!h", "5Zr~17;5':", "FrH~mvT", ".Lpq{", "~!PIY", "oee2k", "U%E%0", "7~\"g4XR", "^<6e ", "GRFRI,=5", "i{oy*", "I::S9", "We[P`", "%S4T~", "aBmWU'w", "Xe)j}", "Ji:AC", "rs]cG", "qqK@;", "$4Z8)t", "xdd+x", " >ItO", "zb/n''", "X606XV]", "JW1dX", "iYCh$b", "YdmNc", "5yH:f", "+\"ng|", "~*Xl.G", "p9\\.n", "7s$!R", "^CrtX", "4Y!/t", "HOJTi", "/DUzlN<", "%>'()", "|w?K(d", "ksfB7Nl@}", "BKmp<", "=BiioJ;", "k.@p)J", "P>[xX", "(G>E.w", "jV.+~Y%(a", "a9N*cx", "m?gG.", "N/`}N", "Xq]BK", "#u~S->X", "_G/Gt", "uqu[4", "P=)0)k", "i,4W`7", "'ri;dn", "Q=c ^", "JLBl42\"", "\\a(V}", "#fR~%>`L", "\"E-de", "p]0t0!", "7~zP0", "Kp4#a", "iD>Ye", "ly(!V", "Psh-9", "hIaV8 ", "&n+Pv", "FkNqB", "M-=~D", " Vd&c", "&VB6'", "uN]9oXB", "a&UTG", "|s6rky", "h9Was", "rH3Eh", "2:m4F", "~kz|n#", "[v|(~7S", "gR[9V%;", "n!`aeY", " ftypisom", "4ksTmY", "7+t^fZ", "SZ[R8", "*UjK!", "6B~f(", "T3*onC", ".%c#k", "LEBGx", "}brfd", "J%T6t", "qZ:S?", "!/ZVM", "Ue;$3O", "5*v]uS", "+=Gi`g[s", "?=>7nv", "WsA>]", "U,hL183q", "'i V`", "|T:@L", "E\\Oe%", "w7q5:", "| .#d", "B:.Uw,", "9;>;R", "/,a]*%+", ";&;GG", "4ZxG1-D`", "9ZO)rp", "Dw9~|", "?{nQNn", "7ISr$", ">9ZP'", "QQ42RD", "bS;\"x", "b)8Ta", "RUH^G", "bJ(?", "omr]bP", "0rZD?4d", ":PUt+0i", "GC8a4", "pm*In", "UKLdY", "LtB|E", "n]3-#", "QMDy{", "0Yb}r}", "XH?8)", "OP~&T", "v\\F/&", "_GhDqfsN", "G=mv6rVL", "H2+jP", "{G)`9z)", "c|K5I9", "qCKZE", "2]_%L", "+:/gs", "8,A\\o4", "AE4E}", "_w^1wE", "_5{pIhz", "pF1{A", "F;:]5", "~>KL|", ")H9_G", ")`Jqa", "2gHcu", "JXt]|", ".3]\"V", "(9MjP", "u? ?m", ")cB!\\", "]c)HK", "B(I$F", "\\g@C{f&a", "/t!v{", "Rh=0]p", "k\\DWC(", "kc~N)", "dcDd", "BN';S", "AMeu/", "l-s`ST", "VxY%54", "-RVCn", "gh#vfA@i", "}^P['", "Ax4CW", "_~M2)", "?6L0 E", "lK8WKg", "#}x[m", "x^p0]", "@~`cz", "M!lK$", "!k<#Cv", "6oA, QJ", "Qh*@U", "N}xq2", "BAghz", "S`1$'D>", "\"(3Md", "yIWoNE", "CAkhB", "5W8k ", "'pHBw", "q7mO}", "gkk28", ",/B@4x", "ex^6$", ">amOS", ";/*RXJ", "cpKTb/", "nK;oRN", "\"HV&[", "p'j'Ny2", "0?+UI+z", "_u$QYHSm", "O/G4\\", "NIa)z3", "S}OI{s", "vs>b~Ru", "w6wu1h", "\\y._ZWRr", "X\\b/L", "~Vvs}", "]U+F#X", "}c^+e~#", "V$N=\"", "M6QN><", "#yoYm", "ozoMZ-+", "L-FNk", "Z+ZUi3", "'FzKd", "r,j2n", "Hh&\\Y", "m.2l,bU", "7,q5@}r", "{%u(S8", "g)hfF", ">*(c;]M", "t&!WqQ*", "kSf[P", "xx7<{", "sGM)9", "7U pi", "2d_`;QX", "p[+}8", "hHpWRz>", ",7:!p", "+jqth=", ":')>Y", "5@_[,", "dW$BrOM", "pts5Kz", "2nU]Re", ";Y R\\[)", "llOpX", "qY0@T", ">9uKx", "ON;", ")-KCq", "6jT]cX", "VAzt1", "|?c(D3)", "{gk,S", "{Pz|_R", "B6td7", "+sCLs", "*qZTZvs`", "]xpx+", "f%c.6", "Rj!7SX", "yy\"9N+07$", "{9QA!", "pLGKT", "b3A6k", "o6@c5L", "TThq\"I", "Tj.tan;", "l4*-7G", "m]2jz", "uLHpe", "4MuVF", "gX#e24", "5)>F9U", "GfI+]", "$Q4%r", "jKnf$", "v_=ct", "exsR#", "0OTLa", "{d9-D:", "8Bu-<\"", "uX2D&`e", "M\"JAf", "@EW^^fK/", ">$*'2vfWq_", "c4:mM", "yc6Nw", "yQ6 I", "`?{Iny", "4stsc", "J` sv", "p?KoX ", "[pl}T>", "$edts", "\"/jl4", "G+D'+J", "Y~?|\"", "=Moj\"i", "9e6]@", "r;6l+.6", "t4@#HP^", "6Q}TJ", "7T,7j", "~vQ~)f", "E^/f%", ")4nB,", "ljzlT", "LRVVG", "+", "X8Gym", "$dinf", "=zH?^d", "[-ONgA`", "B8#w`", "88An^{", "BNiR ", "vid:v14044g50000d4rdkafog65mecorj980", "f?O[<", "P!ZRS'M", "2OM;ZBc", "ugYe`", "bhF]h", "U,Ikg", "|9)F\\", ";)L_J", "6:[T$", "ve+jr", "]cn_e`", "w*G\\F", "hs R]", "iO9C?", "2=oyh", "29V/=Q", "YBeFiQ", "Yc.K$", "Ngk&l", "#cVm#", "fY-V+E", "u$`m&S", ">z/r.", "KV-;`", "[?Mb+", "5lhPD", "]U_p=", ":lx+@", "8:2\\ pr", "DM6\"X", "voaR(", "upu?I", "N8/(MGC", "xt-Zp", "sXd3\"", "C`w}R", "]4T\\P", "y/zs[df", "gbDk`Go", "KY/& ", "qN&FC#yc", "FBi[@^", "6r`|Y", "2LJeY4", "@hDcW", "/?Ib*9_P", "_Ur[bC0IQ3", "1}DYy", "yZb8y", ".B6fN", "$Y+1C", "l\"n[b", "Z?zWv", "w#+&`", "~3Rwl", "gWTM-", "}v)b>i|", "A.AX#", ";\\v|\"", "lF*9@c", "}{2,C", "QuD)29", "+IA ;", "]b15xA\\", "WIR}1", "XE`l+", " ", "X#%[hi", "Xy:U^|", "EHPh>", "0KQSh", "!b-'kn", "BrdE<", "7d~+A", "nS7)x", "Nz:Ja+", "FBbuU", "Ej/8v", "4Ul?*", "|1!Y=", "zIBhq", "2=)0)b", "sHsH u", "&9}Jf", "r/?CZVn", "zGHom", "fk*$P", "u*f*Q", "RQd<2", ",^nN!w", "`U=&k", "fTAg&", " =zp0%", "%fwU)", "jfn!s", ")nHnn", "U-Qx-", "b-1yZZ", "ogd$I", "wW3 k", "{2~cH[", "#oT.xYB", "5u$B\\", ">,azE", "\">\\(I", "P& Mu", "l0Zbb A", "/SQb|", "D'0\"{f", "TFNlosj", "mcL_~", "Nu [a", "ooK!~", "#Ns#c", "X/ \"N", "2m+l_ua", "d1}{o", "2MvmD", "WS=@e", "K0Si}", "\"]\"P}", "Gs Y;", "3iFRQ", "}*aQ=W", "d&x!28A", "NgDR?", "&{m=Fm", "Zce)E", "uqAQYUE", "re`%t", "LN>7s", "~}$jn$", "!9J54_", "gs7Sy", "Czh.[7&", "=[22G", "C30.&", ":`WDj`", ")Q76}E", "sj*5FF", "uuPI`", "-nYpLEM", "v~7V+R<", "0([ta^", "X*kRAX", "?oN", "]_,MB`", "HE2P{", "*2,D)+", "\"d-`F", "O\\b2P", "g9zp}76", "CPJ3%uLS", "Z'K]xY}", "eoR.>", "DY}[b#", "hKtpn", "PRNI.q", "XxgCX", "M2M.*F", "Jv,\\R+N", "~s6\\N", "3%Xx.FT", "is'#3", "JwY~vy", "#_aQ?", "\\@sVW", "L(`x>", "W6Z/-d", ";umu~W", "V33b+G", "}I1b+", "ViSS(", "p@.0G", "dp}aj", "Fx~G?", "pSX9cEc", "?pOCQ", "Cbtc<1{", "Uu@5Y", "|I+M\\", "FVi.g", "]K~`.", "p/X+VV", ":? GZ", ")w=h{,E", "?vi!W ", "Mg)2:", "A-Kbu)", ":lNlK", "(4a9%i", "!1cJ*", "GY';c", "2D::G", "NWUfFP", "yD^A,", "a(O$/(", "v7lOb", "(5BT!", "Co+(>u", "7Bu0J", "z{j25", "8E##,", "YlQyb#", "9b8%,h", "ttd.Zp", "Q=#uWt", "v$GJ4oY4", "q!$:{Y", "'F'vs", "q%9\\cK", "jv{HH", "_DD+?b", " T{Q4", "y3TMO", "]Uf.q", "%AbR&&", "[!i-Y", "#+nHh", "GlK(lNw", ">g#8\"OK", "4<:iP%S", "J;$d+>", "\\da{q", "ZTNJQ", "A=)0)k", "nHV]'p", "w\"DW5", "q ;YQ", "z,K1P", ">)*}b", "g.I(u", "%eWi5", "CvgE6$;", "4Wy5~", "/G*ND", "[{4vz", "xOzZ#", "L q94", "*_4`T", "c(~hr", "D&?Sj", "kjD '", "3%B_sK", "Cv{dB", "`KOv]@]", "T9@wX", "E~", "ZrB9(", "rnq~0CZE", "&qs*y", "Euk.P\\", "3BK~?", "pm`2A", "U|ZOZ", "?^ZXX:1=", "vLWcB", "\"1DR3Wc(", "JtR/*-", "Z0Db^", "|*,\"7", "{U~L+e", "Kkp(0", "C)%%7", "<_B~V", "5$Z:d", "2VWNnNr_", "4@Dqv", "38mI5e;n:", "+7b4-J", "n4w>S", "pgw", "Uf0VWe", "43yHD0::(", "~sP!l", "rC'-v", "SLe]m", "cd0|ECbb", "hgSY[L~", "2:t>wq", "hI]d-4n", "QfAvd(}Y=`@", "|raht", "{uI{DLJ", "BNvP/<", ".[jte", "hWOwE", "]]drW", "kH /OM", "]3R+U", "DZMK#1", "p*E5W", "NpU/E", "zM]z;l", "))AV7", "s&w1+", "K<&7\\", " AN#6J", "]K`\\b", "fS t,", "HpDOO", "W%]*&", "k\\A5T4e", "yevdky(", "KBxNu", "7h2XT", "^HyI;", "Lavf58.76.100", "KYs9/", "Nkgv6", "X>te^", "R7(VJ<.faI", "]],NN", "cAT^9", "^9{lY@", "8<1i/f}y", ")k5PV", "!j[~S", "nE`V", "&pB>B", "sDZ>O", ";Te-S", "w2Ffs", "dn`s6Sc", "{\"aigc_label_type\":0}", "wq-ar", "b2`.G", "lYPK(]", "f[e'uv", "mfd#u9", "<7><_A$:m", "y,RV)B~Nv", "|?z~w", "IYv&x", "as%^y", "KhPkyp", "]?3qh", "AT%Go", "a4=\\5", "e8<_]", "EO_@E", "M\"%Ig", "$+5[t0", "=0]0^q", "fU=tN", "06`Cv", "WkTo%", "0z6a4", "*z`q^", "BJC/*", "6Qu)+", "r!){C3M", "Mh.KDodb", "4-JeO", "7C#[Ti^", "!I[Q_", "OZcHq", "-9#?Rf", "eS;s+D", "}oYiC", "s5}=V", "\"ZM:4", "^t?3]!b", "4+NRjM", "+~SBP", "\\BMI\"", "CbmoF", "v.]_S", "1cC\"s_", "l<+1@z", "@j@_i_", "X|Nui", ";Yb[|Y", "SFyW!", ":ZGvjFV", "5Ax#B?", "Z(VsL0", "7nW&y", "e=sEzc ", " iC#&(.", "/M}q/", "#v+!c", "?P!5y", "LfpXxv", "wnt^5", "3hY,<", "DpvAM'TVy}", "x_KH:", "I)@b.", "/@vsq", "G2*bYW", "Z/}S\"", "3pkJP", "``$[-", "*\"xOR", "X<]i_", "_Xlen", "l:NqMQ", "^[bw n~", "`h[v'2", "\\5p9A", "Th*nm", "mmp4a", " EN8%", "iDT", "j;0a9", "G-)B*", "T/T:;", "=ioc[", "yT'D,", "#~97l", "cCT:g", "mdtaencoder", "XYC1_", "_InC66", "K,Er}", "cHK\\E", "xP&F\"", "ZA~zD>", "`;LASo", "^4bYe", ")_!hW", "Vs.2lm'7", " tnC!", "3JL'd", "[]cEXE", "fV`h,qD", "]iRa>6", "EBYXPt", "ja4/7", "8u_;y4{)", "FL*MF", "YuV#u", "Y_FbA", "?7$uWUiB", "P H=B", "i6]My1I", "TD\\ct", "J5=E@", "<1*Q8W", "V6?~0P", "&\"ZG78]X", "X}ecXi", "kPzZH", "\"a]WtF", "@2\\Vh", "T!*wdMX", "$^3R&G", "xzQ}w", "6&)Tq", "7rgRb", "s3QMj", "hsy^_", "e+}=z", "|Su[=,", "4902eYq", "=mE!^lM", "N(o)>", "LcI|r", "~Fzr`", "V&F[f", "\\\\_|X", "c`[Iz", "#v1m9", "a9IYn,", ")Tzd.", "1b!6UE\\[I", "/EBN9", ";ht&.", "zoI)o$", "P(WPE", "uOahR", "rC_.n", "cGL![", "AB7$r", "90S5a", ":3ej$", "];c~v", "_(-", "XT_Y.,c", "%B[[R", "iA(P&", "_7IL\\", "u#*wQ9o", "a5oNa4", ";~JN#", "!!U$*", "}>k,6!6", "w^nBg", "(81}8", ";u,^c", "Az= 6", "4H2$[", "O^5G,", "VideoHandler", "/OHIB", "t`UD_", "k)!>|NxZ", "84JA@", "`H:.$Ud", "\"L_j9^", "t9zjLZ+", "q6U&d", "p_[U8", "'N_ik3", "-'>y,", "M`k[$'", "O(AD[", "4)HfmSF", "f-1xgy;", "Z0,Gl", "7wjMg", "|Hox;zgy", "kfpG~m", "*$?rq", "ei&A>", "Er%\\C|", "!Roh ", "*F%.mgs", "fx jP", "^_hi*", "{yXwX", "(5E@+", "E5t{x", "s^Tb4", ">0\"4('", "lhreR", "%HPhd", ".XQ`VGp", "A5cJD:", "\\6T7%", "K3ifC", "Vq.jX", ",0!?c", "UfZjXz", "jUEoc", "f]9ED", "Usf/U", "J/j@(XhC`", "qYe_2", "(~ujFu", "_2Uu7", "UM|9*", "F<=Q<\\", "~T~s0'&d", "R3k/Icf", "^{sv}", "`t0Lk", "CDtBc", "E)-@{", "YPCY[", "tx##K[\\", "RQJ#;", "3W|uQ[", "^)zpG", ":-e`?", "c[F0K", ";yLf4Q$", "X>[sY", "Udf8A*&|oy.", "[IWs5H", "+2)^)", "o^/o8", "Q", "<,>4+2", "A1?s9", "L9+L>4", "X##Gy", "'2Brw>", "f~-nb", "C]Y~_", "wzY\"P&C", "S0jrQw", "f1x?IG", "[1yCqc", "Z)1$_", "Tr2ai9", "i5q6>#", "~=f.mG", "]/*=-m", "7q~5'", "|/$=Qe", "MaX|-", "nfjO\"", "!hdlr", "*\"9\"3", "8[cPR", "EIi>H", "%a,)b", ".Pg24k", "O,5", ";,,K;", "?'/s.o", ";vx|q", "bXf9T", "6v;{*", "}ZeX|r", "L.{I+", "A.3kc", " YmkR", "=w'?U", "nLy$h", "S7Y]R", ",B%e$", "f/)Zwb", "'] nH#", "-XCIi", ",w\\0\"", "_CVyew", " H-Ux", ")Z6a5;", "lFz1=", "BqPtz", "|Bls&", "7xT8(.", "y^+Q>", "!Ve7l", "4OYYUN(", "H!I;a\\Lp", "8.BYG[O", "=minf", "9Yf?'", "f-noJ0", "1TzZgp", "`3+#@", "ZTJ1F", "0!r/<", "hvYS~", "S g&U", "LT$es", "Z7?3/", "kG\\Ny", "IMu~i%", "JcxE&", "b,Zm}", "_['chP", "';f2u", "R>lAJ", "X4O}fW", "*alBN2", "]}~/a", ">?>d>", ">)E>e", "O66&w", "XddhJ", "y%6&;p", "vP-/.9", "djr'9", "mu#8N", "L8S]x", "=TA9j", "}_/K[7", "_-gSB", " uA$/", "(xV-i", "CKue}", "`G['LW", "A^L:^S", "AX8zz~", "/^dD>", "\"*`R_", "PI{6B;", "|!Bxw", ">Ir[6", "?QcIV", "@Bi)f", "Tz@w-YI", "~-[0s", "#=&6A", "QZ~@H", "UA'B,*bQ", "3(3m=", "PD$o+", ">\"98r", "m~k,a", "NX$OF~", "NDn\\y", "({Pwy", "' zxn", "M?an<", "-#>jZo<", "v", "@rL+G", "&\"/pBY&6", "2;,J5", "t2OEG;", "U>E kSI", "<>hbq", "UN[Zm", "cKe?c", "6{w6B", "|>X@&", ";L\\qu", "5[?Ki%", ")2W##", "R!wQQ", "IMs8yI", "amLs+*", "DS@P(", "NE?u+", "YMxCC", "STVh2", "-hdlr", "eP;qiS", "xAAH]", "[\"o[#", "\"wlLL\"xDB", "u+23x", "mdtaaigc_info", ";n9v7", "?%r_#~", "9P@ XyW", "z=,~}", "2ONV%", "hI0&I", "=)tz~", ">UsDy", "]zY8pC", "%\"It`", "O+Y2zQc", "n>V-/t", "[CiC-/", "-:nBN", "&D$CK", " OY8m", "~2*./1*:", "-9L)9", "H+\\tf", "slhFT+", "IP88U", "{4zFd", "VKlJ;)", "y{wMavn;", "'_QrW", "\\tkhd", "l%;:fk", "W@$2^", "pi{\"{", " .08^", "]4q7 ", "Imeta", "bEb7*t(", "9/=z*", "Bc\\D~", "wB.y}8", "}?_?Ut", "wDr8n", "p)yL ", "Ei70J", "pO]0j", "q_LsN", "@i@|h", "5 hlP", "Wz8th", "IQ_&w", "lp-g&R", "z+$CkLi", "oLLZ![", "w0I+n", "{{-NE", "0$Qex", "U", "a@>x?[}", "jWoaI", "fOpr~", "sS\\@mXs", "^g+MA2~", "G*|e#", "mdtavid_md5", ";5_sv", "}q~#rQ", "Qc}ch", "t&X$%", "yN\\rl", "eW\"R/_", "Pxg+N", "QO2!owj", "RB:>?R", "WM'A ", "pzcs#f", "Zzu4P5", "R5{Ua&", "Czj&_", "=1j<=g", "3\\oo5", "oMP?v", "4g Xa", "N#B@U~[", "5Pya}", "zX[e)", "ApZ)0", "(T|WZ", "U(m38}@$", ".ox`K", "nDHEu9", "r3Up)", "Cl?~k", "j;hb9", "&< gZ", "r)RDw", "g7b=F", "LF)X\"d", "}esgv", "}EEgmW", "$O_o'", "~9J|R", "Z6hz,X", ")b5E\"", "\"~K2VHw", "hx1+ry~ozn", "BZRjNx", "e{aD[", "ek9vVX&1", "8w ^>", "Lw}oQ", "6Q\"(Txm", ")(\\BA", "zV26AYH", "6gpfk", "8`R#&z\\:", "sQBQ.", ".P52S", "#kvze", "?h$d!Cy2", "Qtd_1P", "6\"Rv$?", "zTycTu", "aGE,Q", "DIXg<]", "hg,4_", "[pt7q", "u3EsE", "BNj_3", "st$0f", "*5bZ.", "J36^R", "*mIl|", "d%U}#V", "kmDdT", "o/udF", "*E5ZQ", "rphGf", "7dgWZ)i", "vum#z", "l_RJk", "XTHMJY", " G(mw?-", "dzM E", "]}Gk[w`a", "%N1e6F", "\\$^y-\\6S", "W~pW%", "1e/ 5$", "nT6\\4", "FpEs:`", "`e=~^m", "Kz}kh>gX", "pw]l\"m", "]jK5f", "Jb1@f", "XX(XXH7S", "m&0Qp", "4qJiu", "_(\"}A", "+9=V<", "T]),^8", "BX*AO\"", "7493f1dfd5f71733de08b0948dd9588a", "O\\=I-[", "S=Wjbz", "DwQLn", "Ns\"?~", "t-,=%", "\\G0 #", "Iq/'7", " PgXY", "a&:w,!", "=BPO ", "<+2YW?", "xHS;s", "\\F|.1", ".u8dd", "Aky2u", "Zm|i=", "L?~93", "OOeNR", "Q2'+>q", "4xvf4", "N5X,C", "llu,IQuG", "G\\~xV", "?Mu\\p\\", "_cWk7", "Y-|e8D", "@A+At", "@oL,{", "uv.r6", ")_VGO", "zI1H!", "rqYr6", ";HnwO", "&:5@O", "zfY#x", "X2\\(-", ":zWVmf", "BV|-8", "yx$Ua", "\\xq.U", "pF:M.", "SB5}9", "r@&u[", "Ke2m4", "pAloB", "K^e7{", "68\";L", "VGT4I", "Qudta", "j>o:*", "daQzE", "m\\z@N", "fgv\"]}", "V,8T%", "#|./`", "Xa\\6A", "rI=Ds", "w!y,|", "g.Mh5", "@C/<\"r", "{eR :(", "I6~%a", "`l_F\"", "e`;Xj", ">j|$}m", "Hj8Su", "t-g{U", "\"vp-QY", "[hib~Y", "!\"63c", "EPEQnt", "bM D{m", ";bR7S", "0nZ%9", "Be@ei", "NiUSo", "WMCRU#", "5!:YRv", "? ,IZ", "D_C=/", "a_g(M", "eY\"9t", "_J3ew", "m64=P", "NcCgf", "+X%:0C", "f5d99c", "=Ol0K", "s0 Rf", "@#=<6", "GU%al", "4jpVF", "ciBa6", "0$:e,R`", "SE]%`7.", "VLWbR", "g9: Cz", "9e%U\\!T", "bs9|q", "(XazCX", "),4B.", "C\"/c_", "+Tk;N", "s?ml%", "EV)ib", "ey OC@", "\"px4>", "clt]AR", "L:%<7", "+:'41", "Vxfyv", "_Q )8", "Cw7/u", "+NzAu", "}k-fp", "_$[jx", "lH1`Jn", "Hn|", "<1Ri7", "G`8\\P", "%=yZuL", "GRM_(", "%ixY~", "[l{P7", "YdtMy", ".Njrv", "A7F7J2", "y#rLG", "HR/2%", "#yv%>", "A/%LZ", "$Y:-M", "?gc[t", "817oa", "340,tr", "/-;|Tug", "\\9);1", "Uy@&L", "iI]oq", "OP*/>B^", "QF<V(IV", "}3hTBOcrNE", "Bvr*j2", "-6zk,", "zmk=iiV?", "Dfz.!", "B<` rG%", "=8J_T", "HUUmy", "\"Oj^I", "4nyUm", ":m:xV", "o:Z+>", "nN;Dm> ", " mdhd", "(b-UG", "&n0K7", "O9$bO_~h", "G(PcdOS", "bvc0ot v2.2.1.3-20250220 ", "uV+Pu", "^0#pQ", "LP\"By", "WDlXO", "|m+GU", "}@)5)", "3>]H34", "ZR{~yW{", "Zj^>\"", "jDZ5%", "fk?!s", "a-{f`", "bqU~E", "v$!x+6", "&7LE^", "c,.5VO", "v&9F*", "/9=#_", "xn|(Xj", "V5Dob", "8/3'J", "0-1,?j6", "Jwvo^\\", "wK)-Y", "V^vHEM5", "A#!)N*", ">`dyhW!^j", "bT1~1", "'a5B/:", ".NW80/", "qLxI2", "Z<##7u", "He4R[", "9qK<&", "9]6jj", "+9=^3", "(Re;J", "CNV,t ", "5)bEd4", "B=B", "::J_P", "E=zfq", "}LGeg", "?'yHSQ", "12Be.{", "b>UfD", "E1K04", "zun{nB\"", "oLvgtZ", "vn[Y^Q", ":hRj-", "\"Sf)}j", "bKvKI", "ujtu[", "sGzx&P", "q$oysO", "Zw%>5", "xle3BCO", "h~:>|", "GO[Y.A?", "+&*`u", "ixORc", "6GBNM<)&$", "NdLDK", "0YHOc", "QT~\\!", "W{~I~", "/$`uxPU[z-", "v%}ZF", "DmmmNu/", "e|P,)", "Echc{E", "Ha>NB", "{tHuo", "y|IC:i@B5", "dR=l:)", "L*g;\"", "'1QRP'D", "Nia}6X", "e\"Ivs" ], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "msi_extract", "overlay", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 0, "cape_type": "" } }, "procdump": [ { "name": "7c4d1031e9b4e2df6c5f9d12568c6ca93d6bcafaef81b4e2a6c1e540e4de07d0", "path": "/opt/CAPEv2/storage/analyses/97/procdump/7c4d1031e9b4e2df6c5f9d12568c6ca93d6bcafaef81b4e2a6c1e540e4de07d0", "guest_paths": "1;?C:\\Windows\\System32\\cmd.exe;?C:\\Windows\\System32\\cmd.exe;?", "size": 401920, "crc32": "603E3862", "md5": "33fc708c4c7f3a34ba800b6281ac941f", "sha1": "5411237fee6085e9b1cb3c38ae6ab2d8d5340b66", "sha256": "7c4d1031e9b4e2df6c5f9d12568c6ca93d6bcafaef81b4e2a6c1e540e4de07d0", "sha512": "f573617c3723375b77d735a885c7e7d7de72048ffe8f7678bd5530527da02d89abe75f9561bc079f38e243cb25829b239b752fd21a76b02321e1163c73225693", "rh_hash": null, "ssdeep": "6144:d4WA1B7BxDfQWKORSqY4zOcmpdlc3MJdmtWl4m:U1BvkWvSqY4zvmjO8JIr", "type": "PE32+ executable (console) x86-64, for MS Windows", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T182843A1D239818A5E5238179D903C276C6B27D346321A6EF22D0CD7B7F63AE97638F05", "sha3_384": "1aaf7aba1bd4657bb9cba5a8faa8200e9bff0ed292c6fa1b0ef3d97a1edb96634c3c1fbb86f3f0148d932e7bf70e4e3a", "yara_hash": "68e243d1d9aeb1f1e94057af9823c58e140832514ed3e7b46b181bf94e4e12ce", "options_hash": "b7818797508282994ea72592ded64b364725c9400a38d418189579c94a89385e", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "File not found: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\97\\ssstik.io__jeznions_.mp4", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x7ff79a450000", "entrypoint": "0x00018f50", "ep_bytes": "4883ec28e82b0600004883c428e91efe", "peid_signatures": null, "reported_checksum": "0x0004d4af", "actual_checksum": "0x000626eb", "osversion": "10.0", "machine_type": "IMAGE_FILE_MACHINE_AMD64", "pdbpath": "cmd.pdb", "imports": { "msvcrt": { "dll": "msvcrt.dll", "imports": [ { "address": "0x7ff79a483af8", "name": "_setmode" }, { "address": "0x7ff79a483b00", "name": "exit" }, { "address": "0x7ff79a483b08", "name": "iswxdigit" }, { "address": "0x7ff79a483b10", "name": "time" }, { "address": "0x7ff79a483b18", "name": "srand" }, { "address": "0x7ff79a483b20", "name": "_wtol" }, { "address": "0x7ff79a483b28", "name": "fflush" }, { "address": "0x7ff79a483b30", "name": "wcsstr" }, { "address": "0x7ff79a483b38", "name": "iswalpha" }, { "address": "0x7ff79a483b40", "name": "wcstoul" }, { "address": "0x7ff79a483b48", "name": "_errno" }, { "address": "0x7ff79a483b50", "name": "printf" }, { "address": "0x7ff79a483b58", "name": "rand" }, { "address": "0x7ff79a483b60", "name": "fprintf" }, { "address": "0x7ff79a483b68", "name": "wcsncmp" }, { "address": "0x7ff79a483b70", "name": "_pipe" }, { "address": "0x7ff79a483b78", "name": "_commode" }, { "address": "0x7ff79a483b80", "name": "_lock" }, { "address": "0x7ff79a483b88", "name": "wcsrchr" }, { "address": "0x7ff79a483b90", "name": "realloc" }, { "address": "0x7ff79a483b98", "name": "towlower" }, { "address": "0x7ff79a483ba0", "name": "_initterm" }, { "address": "0x7ff79a483ba8", "name": "__setusermatherr" }, { "address": "0x7ff79a483bb0", "name": "setlocale" }, { "address": "0x7ff79a483bb8", "name": "_wcsupr" }, { "address": "0x7ff79a483bc0", "name": "iswdigit" }, { "address": "0x7ff79a483bc8", "name": "_ultoa" }, { "address": "0x7ff79a483bd0", "name": "_cexit" }, { "address": "0x7ff79a483bd8", "name": "_unlock" }, { "address": "0x7ff79a483be0", "name": "_exit" }, { "address": "0x7ff79a483be8", "name": "__dllonexit" }, { "address": "0x7ff79a483bf0", "name": "_wcsicmp" }, { "address": "0x7ff79a483bf8", "name": "iswspace" }, { "address": "0x7ff79a483c00", "name": "wcschr" }, { "address": "0x7ff79a483c08", "name": "fgets" }, { "address": "0x7ff79a483c10", "name": "??_V@YAXPEAX@Z" }, { "address": "0x7ff79a483c18", "name": "_pclose" }, { "address": "0x7ff79a483c20", "name": "ferror" }, { "address": "0x7ff79a483c28", "name": "_onexit" }, { "address": "0x7ff79a483c30", "name": "__CxxFrameHandler3" }, { "address": "0x7ff79a483c38", "name": "_open_osfhandle" }, { "address": "0x7ff79a483c40", "name": "_close" }, { "address": "0x7ff79a483c48", "name": "feof" }, { "address": "0x7ff79a483c50", "name": "_dup" }, { "address": "0x7ff79a483c58", "name": "_wpopen" }, { "address": "0x7ff79a483c60", "name": "_wcsnicmp" }, { "address": "0x7ff79a483c68", "name": "?terminate@@YAXXZ" }, { "address": "0x7ff79a483c70", "name": "memset" }, { "address": "0x7ff79a483c78", "name": "wcstol" }, { "address": "0x7ff79a483c80", "name": "_get_osfhandle" }, { "address": "0x7ff79a483c88", "name": "_dup2" }, { "address": "0x7ff79a483c90", "name": "_getch" }, { "address": "0x7ff79a483c98", "name": "towupper" }, { "address": "0x7ff79a483ca0", "name": "memcmp" }, { "address": "0x7ff79a483ca8", "name": "_setjmp" }, { "address": "0x7ff79a483cb0", "name": "wcsspn" }, { "address": "0x7ff79a483cb8", "name": "_fmode" }, { "address": "0x7ff79a483cc0", "name": "qsort" }, { "address": "0x7ff79a483cc8", "name": "__set_app_type" }, { "address": "0x7ff79a483cd0", "name": "_tell" }, { "address": "0x7ff79a483cd8", "name": "_wcslwr" }, { "address": "0x7ff79a483ce0", "name": "longjmp" }, { "address": "0x7ff79a483ce8", "name": "_local_unwind" }, { "address": "0x7ff79a483cf0", "name": "_purecall" }, { "address": "0x7ff79a483cf8", "name": "__C_specific_handler" }, { "address": "0x7ff79a483d00", "name": "??3@YAXPEAX@Z" }, { "address": "0x7ff79a483d08", "name": "memcpy_s" }, { "address": "0x7ff79a483d10", "name": "free" }, { "address": "0x7ff79a483d18", "name": "calloc" }, { "address": "0x7ff79a483d20", "name": "__getmainargs" }, { "address": "0x7ff79a483d28", "name": "_XcptFilter" }, { "address": "0x7ff79a483d30", "name": "_amsg_exit" }, { "address": "0x7ff79a483d38", "name": "??1type_info@@UEAA@XZ" }, { "address": "0x7ff79a483d40", "name": "memmove" }, { "address": "0x7ff79a483d48", "name": "memcpy" }, { "address": "0x7ff79a483d50", "name": "_CxxThrowException" }, { "address": "0x7ff79a483d58", "name": "_vsnwprintf" }, { "address": "0x7ff79a483d60", "name": "swscanf" }, { "address": "0x7ff79a483d68", "name": "__iob_func" }, { "address": "0x7ff79a483d70", "name": "malloc" }, { "address": "0x7ff79a483d78", "name": "_callnewh" }, { "address": "0x7ff79a483d80", "name": "??0exception@@QEAA@AEBQEBD@Z" }, { "address": "0x7ff79a483d88", "name": "??0exception@@QEAA@AEBQEBDH@Z" }, { "address": "0x7ff79a483d90", "name": "??0exception@@QEAA@AEBV0@@Z" }, { "address": "0x7ff79a483d98", "name": "??1exception@@UEAA@XZ" }, { "address": "0x7ff79a483da0", "name": "?what@exception@@UEBAPEBDXZ" }, { "address": "0x7ff79a483da8", "name": "wcscmp" } ] }, "ntdll": { "dll": "ntdll.dll", "imports": [ { "address": "0x7ff79a483db8", "name": "RtlLookupFunctionEntry" }, { "address": "0x7ff79a483dc0", "name": "RtlCaptureContext" }, { "address": "0x7ff79a483dc8", "name": "NtOpenProcessToken" }, { "address": "0x7ff79a483dd0", "name": "NtQueryInformationToken" }, { "address": "0x7ff79a483dd8", "name": "NtClose" }, { "address": "0x7ff79a483de0", "name": "NtOpenThreadToken" }, { "address": "0x7ff79a483de8", "name": "RtlFreeHeap" }, { "address": "0x7ff79a483df0", "name": "NtFsControlFile" }, { "address": "0x7ff79a483df8", "name": "RtlDosPathNameToNtPathName_U" }, { "address": "0x7ff79a483e00", "name": "RtlVirtualUnwind" }, { "address": "0x7ff79a483e08", "name": "RtlFreeUnicodeString" }, { "address": "0x7ff79a483e10", "name": "RtlReleaseRelativeName" }, { "address": "0x7ff79a483e18", "name": "NtOpenFile" }, { "address": "0x7ff79a483e20", "name": "RtlDosPathNameToRelativeNtPathName_U_WithStatus" }, { "address": "0x7ff79a483e28", "name": "NtSetInformationFile" }, { "address": "0x7ff79a483e30", "name": "NtQueryVolumeInformationFile" }, { "address": "0x7ff79a483e38", "name": "NtSetInformationProcess" }, { "address": "0x7ff79a483e40", "name": "NtQueryInformationProcess" }, { "address": "0x7ff79a483e48", "name": "RtlNtStatusToDosError" }, { "address": "0x7ff79a483e50", "name": "NtCancelSynchronousIoFile" }, { "address": "0x7ff79a483e58", "name": "RtlCreateUnicodeStringFromAsciiz" }, { "address": "0x7ff79a483e60", "name": "RtlFindLeastSignificantBit" } ] }, "api-ms-win-core-kernel32-legacy-l1-1-0": { "dll": "api-ms-win-core-kernel32-legacy-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483788", "name": "CopyFileW" }, { "address": "0x7ff79a483790", "name": "GetConsoleWindow" } ] }, "api-ms-win-core-libraryloader-l1-2-0": { "dll": "api-ms-win-core-libraryloader-l1-2-0.dll", "imports": [ { "address": "0x7ff79a4837a0", "name": "GetModuleHandleW" }, { "address": "0x7ff79a4837a8", "name": "GetModuleFileNameA" }, { "address": "0x7ff79a4837b0", "name": "LoadLibraryExW" }, { "address": "0x7ff79a4837b8", "name": "GetProcAddress" }, { "address": "0x7ff79a4837c0", "name": "GetModuleFileNameW" }, { "address": "0x7ff79a4837c8", "name": "GetModuleHandleExW" } ] }, "api-ms-win-core-synch-l1-1-0": { "dll": "api-ms-win-core-synch-l1-1-0.dll", "imports": [ { "address": "0x7ff79a4839c8", "name": "CreateSemaphoreExW" }, { "address": "0x7ff79a4839d0", "name": "InitializeCriticalSection" }, { "address": "0x7ff79a4839d8", "name": "WaitForSingleObject" }, { "address": "0x7ff79a4839e0", "name": "ReleaseSemaphore" }, { "address": "0x7ff79a4839e8", "name": "TryAcquireSRWLockExclusive" }, { "address": "0x7ff79a4839f0", "name": "WaitForSingleObjectEx" }, { "address": "0x7ff79a4839f8", "name": "ReleaseMutex" }, { "address": "0x7ff79a483a00", "name": "ReleaseSRWLockShared" }, { "address": "0x7ff79a483a08", "name": "AcquireSRWLockShared" }, { "address": "0x7ff79a483a10", "name": "LeaveCriticalSection" }, { "address": "0x7ff79a483a18", "name": "CreateMutexExW" }, { "address": "0x7ff79a483a20", "name": "EnterCriticalSection" }, { "address": "0x7ff79a483a28", "name": "ReleaseSRWLockExclusive" }, { "address": "0x7ff79a483a30", "name": "OpenSemaphoreW" } ] }, "api-ms-win-core-heap-l1-1-0": { "dll": "api-ms-win-core-heap-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483720", "name": "HeapFree" }, { "address": "0x7ff79a483728", "name": "HeapAlloc" }, { "address": "0x7ff79a483730", "name": "GetProcessHeap" }, { "address": "0x7ff79a483738", "name": "HeapSetInformation" }, { "address": "0x7ff79a483740", "name": "HeapReAlloc" }, { "address": "0x7ff79a483748", "name": "HeapSize" } ] }, "api-ms-win-core-errorhandling-l1-1-0": { "dll": "api-ms-win-core-errorhandling-l1-1-0.dll", "imports": [ { "address": "0x7ff79a4835c8", "name": "SetLastError" }, { "address": "0x7ff79a4835d0", "name": "UnhandledExceptionFilter" }, { "address": "0x7ff79a4835d8", "name": "GetLastError" }, { "address": "0x7ff79a4835e0", "name": "SetErrorMode" }, { "address": "0x7ff79a4835e8", "name": "SetUnhandledExceptionFilter" } ] }, "api-ms-win-core-processthreads-l1-1-0": { "dll": "api-ms-win-core-processthreads-l1-1-0.dll", "imports": [ { "address": "0x7ff79a4838b0", "name": "InitializeProcThreadAttributeList" }, { "address": "0x7ff79a4838b8", "name": "GetCurrentThreadId" }, { "address": "0x7ff79a4838c0", "name": "UpdateProcThreadAttribute" }, { "address": "0x7ff79a4838c8", "name": "DeleteProcThreadAttributeList" }, { "address": "0x7ff79a4838d0", "name": "GetStartupInfoW" }, { "address": "0x7ff79a4838d8", "name": "CreateProcessAsUserW" }, { "address": "0x7ff79a4838e0", "name": "OpenThread" }, { "address": "0x7ff79a4838e8", "name": "CreateProcessW" }, { "address": "0x7ff79a4838f0", "name": "ResumeThread" }, { "address": "0x7ff79a4838f8", "name": "TerminateProcess" }, { "address": "0x7ff79a483900", "name": "GetExitCodeProcess" }, { "address": "0x7ff79a483908", "name": "GetCurrentProcess" }, { "address": "0x7ff79a483910", "name": "GetCurrentProcessId" } ] }, "api-ms-win-core-localization-l1-2-0": { "dll": "api-ms-win-core-localization-l1-2-0.dll", "imports": [ { "address": "0x7ff79a4837d8", "name": "GetThreadLocale" }, { "address": "0x7ff79a4837e0", "name": "SetThreadLocale" }, { "address": "0x7ff79a4837e8", "name": "FormatMessageW" }, { "address": "0x7ff79a4837f0", "name": "GetLocaleInfoW" }, { "address": "0x7ff79a4837f8", "name": "GetCPInfo" }, { "address": "0x7ff79a483800", "name": "GetACP" }, { "address": "0x7ff79a483808", "name": "GetUserDefaultLCID" } ] }, "api-ms-win-core-debug-l1-1-0": { "dll": "api-ms-win-core-debug-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483588", "name": "OutputDebugStringW" }, { "address": "0x7ff79a483590", "name": "DebugBreak" }, { "address": "0x7ff79a483598", "name": "IsDebuggerPresent" } ] }, "api-ms-win-core-handle-l1-1-0": { "dll": "api-ms-win-core-handle-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483708", "name": "DuplicateHandle" }, { "address": "0x7ff79a483710", "name": "CloseHandle" } ] }, "api-ms-win-core-memory-l1-1-0": { "dll": "api-ms-win-core-memory-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483818", "name": "VirtualAlloc" }, { "address": "0x7ff79a483820", "name": "VirtualQuery" }, { "address": "0x7ff79a483828", "name": "VirtualFree" }, { "address": "0x7ff79a483830", "name": "ReadProcessMemory" } ] }, "api-ms-win-core-console-l1-1-0": { "dll": "api-ms-win-core-console-l1-1-0.dll", "imports": [ { "address": "0x7ff79a4834e0", "name": "ReadConsoleW" }, { "address": "0x7ff79a4834e8", "name": "SetConsoleCtrlHandler" }, { "address": "0x7ff79a4834f0", "name": "SetConsoleMode" }, { "address": "0x7ff79a4834f8", "name": "WriteConsoleW" }, { "address": "0x7ff79a483500", "name": "GetConsoleMode" }, { "address": "0x7ff79a483508", "name": "GetConsoleOutputCP" } ] }, "api-ms-win-core-file-l1-1-0": { "dll": "api-ms-win-core-file-l1-1-0.dll", "imports": [ { "address": "0x7ff79a4835f8", "name": "CreateFileW" }, { "address": "0x7ff79a483600", "name": "FlushFileBuffers" }, { "address": "0x7ff79a483608", "name": "GetFileAttributesExW" }, { "address": "0x7ff79a483610", "name": "GetDriveTypeW" }, { "address": "0x7ff79a483618", "name": "FindClose" }, { "address": "0x7ff79a483620", "name": "FindNextFileW" }, { "address": "0x7ff79a483628", "name": "CreateDirectoryW" }, { "address": "0x7ff79a483630", "name": "GetVolumeInformationW" }, { "address": "0x7ff79a483638", "name": "SetFileAttributesW" }, { "address": "0x7ff79a483640", "name": "SetEndOfFile" }, { "address": "0x7ff79a483648", "name": "SetFilePointerEx" }, { "address": "0x7ff79a483650", "name": "WriteFile" }, { "address": "0x7ff79a483658", "name": "DeleteFileW" }, { "address": "0x7ff79a483660", "name": "SetFileTime" }, { "address": "0x7ff79a483668", "name": "GetVolumePathNameW" }, { "address": "0x7ff79a483670", "name": "SetFilePointer" }, { "address": "0x7ff79a483678", "name": "ReadFile" }, { "address": "0x7ff79a483680", "name": "GetFileAttributesW" }, { "address": "0x7ff79a483688", "name": "GetFileType" }, { "address": "0x7ff79a483690", "name": "RemoveDirectoryW" }, { "address": "0x7ff79a483698", "name": "FindFirstFileExW" }, { "address": "0x7ff79a4836a0", "name": "CompareFileTime" }, { "address": "0x7ff79a4836a8", "name": "GetFullPathNameW" }, { "address": "0x7ff79a4836b0", "name": "GetDiskFreeSpaceExW" }, { "address": "0x7ff79a4836b8", "name": "FileTimeToLocalFileTime" }, { "address": "0x7ff79a4836c0", "name": "GetFileSize" }, { "address": "0x7ff79a4836c8", "name": "FindFirstFileW" } ] }, "api-ms-win-core-string-l1-1-0": { "dll": "api-ms-win-core-string-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483998", "name": "WideCharToMultiByte" }, { "address": "0x7ff79a4839a0", "name": "MultiByteToWideChar" } ] }, "api-ms-win-core-processenvironment-l1-1-0": { "dll": "api-ms-win-core-processenvironment-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483840", "name": "GetCommandLineW" }, { "address": "0x7ff79a483848", "name": "GetEnvironmentStringsW" }, { "address": "0x7ff79a483850", "name": "ExpandEnvironmentStringsW" }, { "address": "0x7ff79a483858", "name": "FreeEnvironmentStringsW" }, { "address": "0x7ff79a483860", "name": "SetEnvironmentVariableW" }, { "address": "0x7ff79a483868", "name": "SearchPathW" }, { "address": "0x7ff79a483870", "name": "SetCurrentDirectoryW" }, { "address": "0x7ff79a483878", "name": "GetCurrentDirectoryW" }, { "address": "0x7ff79a483880", "name": "GetEnvironmentVariableW" }, { "address": "0x7ff79a483888", "name": "SetEnvironmentStringsW" }, { "address": "0x7ff79a483890", "name": "GetStdHandle" } ] }, "api-ms-win-core-console-l2-1-0": { "dll": "api-ms-win-core-console-l2-1-0.dll", "imports": [ { "address": "0x7ff79a483518", "name": "SetConsoleCursorPosition" }, { "address": "0x7ff79a483520", "name": "GetConsoleScreenBufferInfo" }, { "address": "0x7ff79a483528", "name": "ScrollConsoleScreenBufferW" }, { "address": "0x7ff79a483530", "name": "FillConsoleOutputAttribute" }, { "address": "0x7ff79a483538", "name": "FillConsoleOutputCharacterW" }, { "address": "0x7ff79a483540", "name": "FlushConsoleInputBuffer" }, { "address": "0x7ff79a483548", "name": "SetConsoleTextAttribute" } ] }, "api-ms-win-security-base-l1-1-0": { "dll": "api-ms-win-security-base-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483ad8", "name": "GetFileSecurityW" }, { "address": "0x7ff79a483ae0", "name": "RevertToSelf" }, { "address": "0x7ff79a483ae8", "name": "GetSecurityDescriptorOwner" } ] }, "api-ms-win-core-sysinfo-l1-1-0": { "dll": "api-ms-win-core-sysinfo-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483a50", "name": "GetSystemTime" }, { "address": "0x7ff79a483a58", "name": "SetLocalTime" }, { "address": "0x7ff79a483a60", "name": "GetSystemTimeAsFileTime" }, { "address": "0x7ff79a483a68", "name": "GetTickCount" }, { "address": "0x7ff79a483a70", "name": "GetWindowsDirectoryW" }, { "address": "0x7ff79a483a78", "name": "GetLocalTime" }, { "address": "0x7ff79a483a80", "name": "GetVersion" } ] }, "api-ms-win-core-timezone-l1-1-0": { "dll": "api-ms-win-core-timezone-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483aa8", "name": "SystemTimeToFileTime" }, { "address": "0x7ff79a483ab0", "name": "FileTimeToSystemTime" } ] }, "api-ms-win-core-datetime-l1-1-0": { "dll": "api-ms-win-core-datetime-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483570", "name": "GetDateFormatW" }, { "address": "0x7ff79a483578", "name": "GetTimeFormatW" } ] }, "api-ms-win-core-systemtopology-l1-1-0": { "dll": "api-ms-win-core-systemtopology-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483a90", "name": "GetNumaNodeProcessorMaskEx" }, { "address": "0x7ff79a483a98", "name": "GetNumaHighestNodeNumber" } ] }, "api-ms-win-core-console-l2-2-0": { "dll": "api-ms-win-core-console-l2-2-0.dll", "imports": [ { "address": "0x7ff79a483558", "name": "SetConsoleTitleW" }, { "address": "0x7ff79a483560", "name": "GetConsoleTitleW" } ] }, "api-ms-win-core-processenvironment-l1-2-0": { "dll": "api-ms-win-core-processenvironment-l1-2-0.dll", "imports": [ { "address": "0x7ff79a4838a0", "name": "NeedCurrentDirectoryForExePathW" } ] }, "api-ms-win-core-registry-l1-1-0": { "dll": "api-ms-win-core-registry-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483950", "name": "RegCloseKey" }, { "address": "0x7ff79a483958", "name": "RegSetValueExW" }, { "address": "0x7ff79a483960", "name": "RegOpenKeyExW" }, { "address": "0x7ff79a483968", "name": "RegCreateKeyExW" }, { "address": "0x7ff79a483970", "name": "RegEnumKeyExW" }, { "address": "0x7ff79a483978", "name": "RegDeleteKeyExW" }, { "address": "0x7ff79a483980", "name": "RegDeleteValueW" }, { "address": "0x7ff79a483988", "name": "RegQueryValueExW" } ] }, "api-ms-win-core-file-l2-1-0": { "dll": "api-ms-win-core-file-l2-1-0.dll", "imports": [ { "address": "0x7ff79a4836d8", "name": "MoveFileExW" }, { "address": "0x7ff79a4836e0", "name": "CreateSymbolicLinkW" }, { "address": "0x7ff79a4836e8", "name": "CreateHardLinkW" }, { "address": "0x7ff79a4836f0", "name": "MoveFileWithProgressW" }, { "address": "0x7ff79a4836f8", "name": "GetFileInformationByHandleEx" } ] }, "api-ms-win-core-heap-l2-1-0": { "dll": "api-ms-win-core-heap-l2-1-0.dll", "imports": [ { "address": "0x7ff79a483758", "name": "GlobalAlloc" }, { "address": "0x7ff79a483760", "name": "GlobalFree" }, { "address": "0x7ff79a483768", "name": "LocalFree" } ] }, "api-ms-win-core-io-l1-1-0": { "dll": "api-ms-win-core-io-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483778", "name": "DeviceIoControl" } ] }, "api-ms-win-core-winrt-l1-1-0": { "dll": "api-ms-win-core-winrt-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483ac0", "name": "RoInitialize" }, { "address": "0x7ff79a483ac8", "name": "RoUninitialize" } ] }, "api-ms-win-core-processtopology-l1-1-0": { "dll": "api-ms-win-core-processtopology-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483920", "name": "GetThreadGroupAffinity" } ] }, "api-ms-win-core-synch-l1-2-0": { "dll": "api-ms-win-core-synch-l1-2-0.dll", "imports": [ { "address": "0x7ff79a483a40", "name": "Sleep" } ] }, "api-ms-win-core-profile-l1-1-0": { "dll": "api-ms-win-core-profile-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483940", "name": "QueryPerformanceCounter" } ] }, "api-ms-win-core-string-obsolete-l1-1-0": { "dll": "api-ms-win-core-string-obsolete-l1-1-0.dll", "imports": [ { "address": "0x7ff79a4839b0", "name": "lstrcmpW" }, { "address": "0x7ff79a4839b8", "name": "lstrcmpiW" } ] }, "api-ms-win-core-processtopology-obsolete-l1-1-0": { "dll": "api-ms-win-core-processtopology-obsolete-l1-1-0.dll", "imports": [ { "address": "0x7ff79a483930", "name": "SetProcessAffinityMask" } ] }, "api-ms-win-core-apiquery-l1-1-0": { "dll": "api-ms-win-core-apiquery-l1-1-0.dll", "imports": [ { "address": "0x7ff79a4834d0", "name": "ApiSetQueryApiSetPresence" } ] }, "api-ms-win-core-delayload-l1-1-1": { "dll": "api-ms-win-core-delayload-l1-1-1.dll", "imports": [ { "address": "0x7ff79a4835b8", "name": "ResolveDelayLoadedAPI" } ] }, "api-ms-win-core-delayload-l1-1-0": { "dll": "api-ms-win-core-delayload-l1-1-0.dll", "imports": [ { "address": "0x7ff79a4835a8", "name": "DelayLoadFailureHook" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x0003a028", "size": "0x000002f8" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x0005d000", "size": "0x000084f8" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00059000", "size": "0x00002334" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00066000", "size": "0x0000030c" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00035a60", "size": "0x00000054" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00032c10", "size": "0x00000118" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00039d20", "size": "0x00000080" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000400", "virtual_address": "0x00001000", "virtual_size": "0x00031000", "size_of_data": "0x00031000", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "6.31" }, { "name": ".rdata", "raw_address": "0x00031400", "virtual_address": "0x00032000", "virtual_size": "0x0000b000", "size_of_data": "0x0000a600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "5.18" }, { "name": ".data", "raw_address": "0x0003ba00", "virtual_address": "0x0003d000", "virtual_size": "0x0001c000", "size_of_data": "0x0001b800", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.14" }, { "name": ".pdata", "raw_address": "0x00057200", "virtual_address": "0x00059000", "virtual_size": "0x00003000", "size_of_data": "0x00002400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "5.49" }, { "name": ".didat", "raw_address": "0x00059600", "virtual_address": "0x0005c000", "virtual_size": "0x00001000", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "1.32" }, { "name": ".rsrc", "raw_address": "0x00059800", "virtual_address": "0x0005d000", "virtual_size": "0x00009000", "size_of_data": "0x00008600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "4.36" }, { "name": ".reloc", "raw_address": "0x00061e00", "virtual_address": "0x00066000", "virtual_size": "0x00001000", "size_of_data": "0x00000400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "4.68" } ], "overlay": null, "resources": [ { "name": "MUI", "offset": "0x00065420", "size": "0x000000d8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.68" }, { "name": "RT_ICON", "offset": "0x0005d778", "size": "0x00000668", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.65" }, { "name": "RT_ICON", "offset": "0x0005dde0", "size": "0x000002e8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.44" }, { "name": "RT_ICON", "offset": "0x0005e0c8", "size": "0x00000128", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.17" }, { "name": "RT_ICON", "offset": "0x0005e1f0", "size": "0x00000ea8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.06" }, { "name": "RT_ICON", "offset": "0x0005f098", "size": "0x000008a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.07" }, { "name": "RT_ICON", "offset": "0x0005f940", "size": "0x00000568", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "0.71" }, { "name": "RT_ICON", "offset": "0x0005fea8", "size": "0x0000169e", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "7.85" }, { "name": "RT_ICON", "offset": "0x00061548", "size": "0x000025a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.88" }, { "name": "RT_ICON", "offset": "0x00063af0", "size": "0x000010a8", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.97" }, { "name": "RT_ICON", "offset": "0x00064b98", "size": "0x00000468", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.17" }, { "name": "RT_GROUP_ICON", "offset": "0x00065000", "size": "0x00000092", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "2.90" }, { "name": "RT_VERSION", "offset": "0x00065098", "size": "0x00000388", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "3.50" }, { "name": "RT_MANIFEST", "offset": "0x0005d350", "size": "0x00000428", "filetype": null, "language": "LANG_ENGLISH", "sublanguage": "SUBLANG_ENGLISH_US", "entropy": "5.00" } ], "versioninfo": [ { "name": "CompanyName", "value": "Microsoft Corporation" }, { "name": "FileDescription", "value": "Windows Command Processor" }, { "name": "FileVersion", "value": "10.0.19041.746 (WinBuild.160101.0800)" }, { "name": "InternalName", "value": "cmd" }, { "name": "LegalCopyright", "value": "© Microsoft Corporation. All rights reserved." }, { "name": "OriginalFilename", "value": "Cmd.Exe" }, { "name": "ProductName", "value": "Microsoft® Windows® Operating System" }, { "name": "ProductVersion", "value": "10.0.19041.746" }, { "name": "Translation", "value": "0x0409 0x04b0" } ], "imphash": "272245e2988e1e430500b852c4fb5e18", "timestamp": "2090-01-16 09:26:43", "icon": "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAACp0lEQVR4nO2ZPW/TQByHH8cpUyWQ2NjKd+AjNK1U1ZGQkBjZYWNhQAIEUmFgKuwsSEhISElV0TeoVFUsnSLUgS6J2nRJA0mTpknss8OQ2thN3Z7Tl5ORH+lyf/sud7+fz3e+OJCQkBBrNIDnL2ceaZo2q1qMDJ1O+/HMqxfvAAvopQE0TZu9e+++MlHvP+QAePgge+bxl8+f3gIfgRpgpq9a7Em4QmWPgetAC78BPZWiUS2f2Vkv+BG5/Hidftav2/PlbvJz89ZtN0wDKTfon0nrzLx+868TXwMnxbLJcZyB2M2FENi2jRACy7K83DRN2u02nU4Hy7I8TT9/lQYuRir0MsUEz8Dx4YoLp45APp8nn8+Hli8sLFy4oKiEGsjlchiGgWEYzM3Neefn5+cD9RYXFy9PnQRSc2B6etqLp6amvHhychKApaWlC5Ylz7kn8cTEBADLy8vnFjMMUgZOu4UAMpkMACsrKxckSx7vOXB8Ecpms94EDruF/IyPjwdGYXV1NbTT0dFRAG/Nd9F1HV3XA88LaQPVWmOg0DCMMxsAME2TWq3G2NgYzWaTRqOBpmlS3/Vj2za2bYeWV37vD5wbei/UbDapVCrs7e1Rr9eHbebcRDIghGBnZ4dSqcTh4eFlaYqElIGDgwOKxSK7u7sIIS5bUyRONSCEYGtri2KxKDWhVOBbhYLLULlcZnNzk263e+WiojAwAo7jUCgU2N7eVqEnMgEDpmmysbFBtVpVpScyngHH6bG2tkar1VKpJzLeVkLYduzEw//0iyyuJAZUkxhQTWJANYkB1cTeQGA3+u1HQZWOoUkD7NfrmfXvX9W9XovAs6dP7gBdQMDRf2TACHDjKI2oEBaBLvAHaAC2a0CjPxrXAF2RMFkEfRPhL5ASEhLiw1+s5V9Z8HnusgAAAABJRU5ErkJggg==", "icon_hash": "00d152c1523e56c619d25f6c96c21a41", "icon_fuzzy": "e55641fba39eaff4ee89e5fc0af8f337", "icon_dhash": "a2ae7a370101a3c0", "imported_dll_count": 37 }, "data": null, "strings": [ "l$PLcv$I", "fD9$Cu", "t$0L+", "fG94lu", "lext-ms-win-cmd-util-l1-1-0", "fD9,0", "DISABLEEXTENSIONS", "NtQueryInformationProcess", "@8=D!", "D9t$<", "_ultoa", "A_A^A]A\\_", "GetFullPathNameW", "COLOR", "interrupted", " %x %c", "HcD$x", "t$0uKE3", " &()[]{}^=;!%'+,`~", "\\$dD9L$T", ".bss$00", "fD9l$ ", "L$8f99u`+", "f9|$Vt\"", "message size", "no_buffer_space", "api-ms-win-core-synch-l1-1-0.dll", "memcpy", "api-ms-win-core-file-l1-1-0.dll", "usebackq", "l$HE3", "GetModuleFileNameA", "WATAUAVAWH", "GetCurrentProcessId", ".CRT$XCU", "t$ WH", "api-ms-win-core-synch-l1-2-0.dll", "t$HD9=", "connection_refused", "CMD Internal Error %s", "t4f93t/H", "\"t5fA", "MKLINK", "permission_denied", "fD9$xu", "ASSOC", "CloseHandle", "Redir: ", "LegalCopyright", "GetCommandLineW", "ext-ms-win-branding-winbrand-l1-1-1", "Hct$ ", "\\XCOPY.EXE", ".CRT$XIZ", " /~sA", "D9t$0", "HeapSetInformation", "f94Ju", "ext-ms-win-shell-shell32-l1-2-3", "GetWindowsDirectoryW", "BrandingFormatString", "fD9$Hu", "f9,Xu", "GetFileInformationByHandleEx", "iH4-N", "A_A^A]A\\_^][", "SetLocalTime", "f9,Cu", "fD9tG", "*t|fA;", "api-ms-win-core-heap-l1-1-0.dll", "ATAVAWH", "@SVWH", "Null environment", " ", "??1exception@@UEAA@XZ", ".didat$3", "D8L$\\", "L$ SWH", "ResumeThread", "u+fD9o", "f94Zu", "VirtualAlloc", "t\"D9%", "BELOWNORMAL", "read only file system", "api-ms-win-security-base-l1-1-0.dll", ">3t#A", "fF9", " uiAccess=\"false\"", "no link", "fD9 tK", "d$0E3", ".text$mn", "|$z:t0A", "#D$D;", ".xdata", "Se%ae`", "iswxdigit", "D$0H;", "ABOVENORMAL", "|$@PE", "api-ms-win-core-console-l2-2-0.dll", "iswspace", "MKDIR", "L$PE3", "tlfD9>tfI", "f;D$`", "protocol_not_supported", "t!fD9l$ ", "??_V@YAXPEAX@Z", "connection reset", "K9\\$", ".rsrc$02", "wwwwwwwwp", "AutoRun", "t$49\\$Ht&9", "GetStdHandle", "D$PE3", "SHARED", "PAUSE", "%s %s ", "owner dead", "se%%%%% R", "%02d%s%02d%s%02d", "HeapSize", "fF9l}", "ERASE", "D9y$vb", "wcstol", "NtQueryInformationToken", "", "fD90H", "t$ WATAVH", "GetSystemTime", ".data$zz", ".bss$zz", "GetLocalTime", "GetConsoleTitleW", "argument out of domain", "UATAVH", ">0tdA", ";l$0u", "??0exception@@QEAA@AEBQEBD@Z", "ENDLOCAL", "f9", "T$0E3", "__dllonexit", "f9,xu", "D8L$iL", "device or resource busy", "not_a_socket", "Msg:[%ws] ", "OutputDebugStringW", "PATHEXT", "L$0H=", "0A_A^^", "fD9$Ku", "DeleteProcThreadAttributeList", "GetSecurityDescriptorOwner", "stream timeout", "network reset", ".rdata$00", "FillConsoleOutputCharacterW", "L$PH3", "SetLastError", "f94Au", "api-ms-win-core-console-l2-1-0.dll", "fE94Wu", "wcstoul", "SHIFT", "network_down", "9\\$", "PU,//", "delims=", "Local\\SM0:%d:%d:%hs", "COMSPEC", "M0H9M`t", "=,;+/[] ", "FlushFileBuffers", "T$8A;", "system", "FindNextFileW", "ext-ms-win-branding-winbrand-l1-2-0", "%s=%s", "cG?CCRRRRP`R", "10.0.19041.746", "ProductName", "wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\"", ".?AVexception@@", "D8=-u", "tlD8%", ".text$mn$00", "UAVAWH", "USVWATAUAVAWH", "VirtualFree", "L$HE3", "t$`I+", "L$@fA", ".idata$2", "WAVAWH", "$DHcD$PM", "x AUAVAWH", "FailFast", "fE9,Wu", "not supported", "UVWATAUAVAWH", "|$`E3", "_onexit", "A_A^A]", "t%fA;", "fD9DC", ";:u8A", "A_A^A]_]", "FtFfD9", "ext-ms-win-branding-winbrand-l1-1-0.dll", "!This program cannot be run in DOS mode.", ".00cfg", "|$8D9{", ".bss$pr00", "HcD$ ", "network down", "t$@E3", ";:u.A", "@A_A^A]A\\_^[", "fA94Ru", "SetConsoleInputExeNameW", "ext-ms-win-shell-shell32-l1-3-0", "L$8E3", "FindFirstFileW", "DEFINED", "malloc", "cross device link", "fD9t$\"", "FindNextStreamWStub", "L$pH3", "n(D9-c", "fF9$Cu", ".text$zy", "GetCurrentDirectoryW", "__iob_func", "RtlFindLeastSignificantBit", "fD9,Gu", "UpdateProcThreadAttribute", "L$Xf91t", "bad_file_descriptor", "DuplicateHandle", "D$@H9t$@", "0A_A^_", "f9,Gu", "@A_A^]", " ", "GetThreadGroupAffinity", "DeleteFileW", "8A^_^[", ")t$@H", "f9/t+", "api-ms-win-core-localization-l1-2-0.dll", "L9{@u", "FindClose", "not a directory", "((((&&(&&&(&(&&&&&&(((#&&###", "BREAK", "C:\\Users\\Rajesh\\AppData\\Local\\Temp", "DelayedExpansion", "fD94~u", "no stream resources", "wcscmp", "START", "uE9\\$", "eIDATx", "_getch", ".rsrc", "_CxxThrowException", "CompletionChar", " Operating System", "REM /?", ".rdata$00$brc", "D$Pf9", "NtQueryVolumeInformationFile", ".data$r$brc", "Translation", "already_connected", "GlobalAlloc", "f9<^u", "L$ UVWATAUAVAWH", "function not supported", "VWAVH", "lstrcmpW", "A_A^A\\", "fD94Ou", "wrong protocol type", ".didat$2", "GetLastError", "HeapReAlloc", "fE9$Ou", " A_A^_", "fD9$Au", "onecore\\base\\cmd\\maxpathawarestring.cpp", "L95NW", "InternalName", "SetConsoleMode", "", "_close", ".didat$4", "useback", "\\Shell\\Open\\Command", "/w&tV", "fF9,gu", "srand", "f94Cu", "L$0H;", "GetExitCodeProcess", "api-ms-win-core-processenvironment-l1-1-0.dll", "L$XH+", "fflush", "tSL9?", "fA9,Pu", "^fD9+", "GetDriveTypeW", "fD9tC", "040904B0", "no message", "already connected", "GetSystemTimeAsFileTime", "FileTimeToSystemTime", ">;u\\D", "0A_A^A]A\\_^]", "fD9TH,u", "SetConsoleTitleW", "fD9$hu", ".gljmp", "[%hs(%hs)]", "bad_address", "ShellExecuteWorker", "|$0E3", " version=\"5.1.0.0\"", ".pdata", "fE9$vu", "fD9,xu", "api-ms-win-core-apiquery-l1-1-0.dll", "f9tQ,u", "WAUAVH", "f;0u>H", "cmd.pdb", "|$ ATAVAWH", "f9Windows Command Processor", "fF9Dj0u", "LogHr", "D8=is", "GetFileAttributesExW", "ext-ms-win-shell-shell32-l1-2-0", "7fD90", "VS_VERSION_INFO", "A_A^]", "|$ E3", "Software\\Classes", "L$xE3", "FindFirstStreamWStub", "nH", "t$0E3", "t$0fB", ".didat$5", "GetFileSize", "RtlVirtualUnwind", "CreateMutexExW", "H+|$@H", "ReadConsoleW", "fD94Hu", "IDI_APPICON", "tRHcL$xI", "KxfD91", "operation canceled", "fE9,xu", "@.didat", "QueryFullProcessImageNameWStub", ";C$sD", "tokens=", "ext-ms-win-shell-shell32-l1-2-0.dll", "calloc", "bad file descriptor", "G0HcW", "CreateDirectoryW", "8/t@H", "GetVDMCurrentDirectoriesStub", " name=\"Microsoft.Windows.FileSystem.CMD\"", "fB9", "RegOpenKeyExW", ".?AVout_of_range@std@@", "fC9\\e", "4FHcD$`H", "D$ L+", "fD9$_u", "L$ E3", "fD9$Su", "RegSetValueExW", "D9d$P", "__CxxFrameHandler3", "fA94Du", "ext-ms-win-branding-winbrand-l1-1-2", "NtClose", "not a stream", "()|&=,;\"", "REM/?", "fD9,^u", "CompareFileTime", "t$ E3", "D$0L;", "9T$0u0", "fE9$Fu", "api-ms-win-core-console-l1-1-0.dll", "@WAVH", "fE9", "D$(E3", "StringFileInfo", "|$XMc", "wcschr", "A_A^_^]", "NtOpenProcessToken", "L$0E3", "%hs!%p: ", "L9{0t#H", ".CRT$XIA", "w{H9{", "_setmode", "string too long", "D$D9E", "mkdir ", "fD9#u", ".rdata$zz", "filename_too_long", "l$ VWAVH", ".bss$dk00", "D8-BP", "@A_A^A\\", "SVWAVH", "GetModuleHandleExW", "u3fD;", "0123456789", "__getmainargs", "MM/dd/yy", "address family not supported", "onecore\\base\\cmd\\StartShellExecServiceProvider.h", "t$pL+", "value too large", "t$(9|$8t1", "_get_osfhandle", "CreateFileW", "InitializeCriticalSection", "not connected", "GetEnvironmentStringsW", "SetThreadLocale", "GetACP", "unknown error", "` AUAVAWH", ".giats", "f9,Hu", "fD9dM", "fD9$Fu", "\\$ UVWH", "(t$@L", "SETLOCAL", "oD$ f", "HIGHESTNUMANODENUMBER", "RaiseFailFastException", "HcD$pH", "9:uGH9-n", "api-ms-win-core-processtopology-l1-1-0.dll", "RegCloseKey", "ApiSetQueryApiSetPresence", "timed out", "CCCC@40`P@ ", "chdir ", "L$ fD", "fD9/u", "_local_unwind", "A^_^][", "????????.???", "fA9", "f90u&H", " true", "_pipe", "SetEndOfFile", "'Px0&D", "H+L$xH", "UWAVH", "fdpnxsatz", "HcD$PM", "Sh(PO", "fD9,Wu", "FileDescription", "GetThreadLocale", "x ATAUAVH", "fD94Wu", "resource deadlock would occur", "D$0E3", "permission denied", "fD9,Au", "fE9d~", ".text$di", "message_size", "t$ WATAUAVAWH", "Cmd: %s Type: %x ", "A_A^_", "fD9|G0u", "GetProcAddress", "SetFileAttributesW", "no such process", "RtlDllShutdownInProgress", "DisableUNCCheck", "%04X-%04X", "GetEnvironmentVariableW", "too_many_files_open", "fE9<^u", "RtlCaptureContext", "ShellExecuteExW", "GetConsoleWindow", "towupper", "f9,{u", "@A_A^_^]", "f9,Su", "ReleaseSRWLockExclusive", "fF9true", "api-ms-win-core-string-l1-1-0.dll", "destination address required", "fD94Au", "RemoveDirectoryW", ".text$lp00cmd.exe!20_pri7", "CreateHardLinkW", "x UATAVH", "u*9Q<|%", "_wpopen", "HeapAlloc", "address_in_use", "f9,Ou", "%02d%s%02d%s", "no child process", "fE9dw", "SetConsoleTextAttribute", "api-ms-win-core-errorhandling-l1-1-0.dll", "RevertToSelf", "WideCharToMultiByte", "OpenThread", "1H9wx", "IsDebuggerPresent", "operation_not_supported", "td@8=", "NtOpenThreadToken", "|$P.uEH", "D9L$l", "SystemTimeToFileTime", "RtlDisownModuleHeapAllocation", "\\uc@8=", ";;u;H", "OpenSemaphoreW", "f99ujH", "_unlock", "@Qm6t", "<>+-*/%()|^&=,", "connection refused", "f91tUA", "D9%/?", "longjmp", ".rdata", ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", "=ExitCodeAscii", "MoveFileExW", "D$(@P", "WNetGetConnectionWStub", "", "*)))))))))))))))))))))", "!wct&", "_dup2", "NtOpenFile", "LookupAccountSidWStub", "operation_in_progress", "x AWH", "operation would block", " ", "Software\\Microsoft\\Windows NT\\CurrentVersion", "CopyFileW", "L$ht'A", "%hs(%d) tid(%x) %08X %ws", "f9", "no space on device", "GetNumaNodeProcessorMaskEx", "9D$0u", " A^A\\_", "D$@fD9'", "T$XD;{", "T$8H;", "@A_A^A]A\\_][", "RtlNtStatusToDosError", "GetFileType", "fD9", "@.reloc", "setlocale", "G8f9C", "ReleaseMutex", "C0D9s$", "E[fD9", "DISABLEDELAYEDEXPANSION", "fD9,_u", "u#D8g!u", "ERRORLEVEL", "fD9,Fu", ">2tFA", "SetEnvironmentStringsW", "not enough memory", "NtCancelSynchronousIoFile", "t$xE3", "ext-ms-win-branding-winbrand-l1-1-0", "?terminate@@YAXXZ", "fE9,Ft", "GetNumaHighestNodeNumber", "DD$`H", "`.rdata", "D$ E3", "IF /?", "D$xE3", "invalid argument", "_fmode", "b$j-0", "fD9/t", "no protocol option", "%6Ru'", "fA94Hu", "GetStartupInfoW", "u%6RRRRRPp", "Unknown", " \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"", "api-ms-win-core-memory-l1-1-0.dll", ".text$x", "D9l$ ", ".idata$6", "msvcrt.dll", "|$pA;", "fE9&tdA", "swscanf", "L$XE3", "_XcptFilter", "3t)E3", "RoUninitialize", "L$Pf9", "D8L$P", "api-ms-win-core-processthreads-l1-1-0.dll", "", "f98tDA", "SetThreadUILanguage", "network_reset", "RtlFreeUnicodeString", "t$ UWATAVAWH", ".gehcont", " A^_^", "not a socket", "GlobalFree", "SaferWorker", "GetConsoleOutputCP", "fD9,Su", " v;f98", "fD9lC", "D$xH#E" ], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "msi_extract", "overlay", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 1, "cape_type": "", "process_path": "C:\\Windows\\System32\\cmd.exe", "process_name": "cmd.exe", "module_path": "C:\\Windows\\System32\\cmd.exe", "pid": 4120 } ], "CAPE": { "payloads": [], "configs": [] }, "info": { "version": "2.5", "started": "2026-06-29 16:37:24", "ended": "2026-06-29 16:37:58", "duration": 34, "id": 97, "category": "file", "custom": "", "machine": { "id": 97, "status": "stopping", "name": "win10", "label": "win10", "platform": "windows", "manager": "KVM", "started_on": "2026-06-29 16:37:24", "shutdown_on": "2026-06-29 16:37:58" }, "package": "generic", "timeout": false, "tlp": null, "parent_sample": null, "options": { "vnc_port": "5900" }, "source_url": null, "route": "internet", "user_id": 0, "CAPE_current_commit": "394455c2cd85889fb0782bfcf1f8c5c2f7f77b46" }, "behavior": { "processes": [ { "process_id": 4120, "process_name": "cmd.exe", "parent_id": 2892, "module_path": "C:\\Windows\\System32\\cmd.exe", "first_seen": "2026-06-29 23:37:41,488", "calls": [ { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "1896", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 0 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "1896", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff79a468f50" }, { "name": "Parameter", "value": "0x6f32100000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "2872", "caller": "0x7ff9aaa4ea52", "parentcaller": "0x7ff9aaa077c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 3, "id": 2 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "3572", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00 \\xef\\x8f2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xef\\x8f2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "3572", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "3572", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff987b92f10" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "2872", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xef\\x7f2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xef\\x7f2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "2872", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "2872", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff987b93070" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "4500", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf0o2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xf0o2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "4500", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 10 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "4500", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff987b92e50" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "3868", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xef_2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xef_2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "3868", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13 }, { "timestamp": "2026-06-29 23:37:41,707", "thread_id": "3868", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff987b92a40" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4693c1", "parentcaller": "0x7ff79a468e29", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff79a469370" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a463828", "parentcaller": "0x7ff79a468ecd", "category": "threading", "api": "NtOpenThread", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ThreadHandle", "value": "0x00000009" }, { "name": "DesiredAccess", "value": "0x001fffff", "pretty_value": "THREAD_ALL_ACCESS" }, { "name": "ProcessId", "value": "0" }, { "name": "ThreadId", "value": "842004136" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a46052c", "parentcaller": "0x7ff79a463839", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a46055b", "parentcaller": "0x7ff79a463839", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "SetThreadUILanguage" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3ec610" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a463839", "parentcaller": "0x7ff79a468ecd", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf2/2o\\x00\\x00\\x00\\x08\\x00\\x00\\x00o\\x00\\x00\\x00\\xc8\\xf2/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a46387c", "parentcaller": "0x7ff79a468ecd", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\System" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4638c6", "parentcaller": "0x7ff79a468ecd", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x80\\xf5/2o\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x88\\xf5/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a464de7", "parentcaller": "0x7ff79a463931", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf7\\x7f\\x00\\x00\\xd0\\xf4/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xf4/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a464e0b", "parentcaller": "0x7ff79a463931", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xf7\\x7f\\x00\\x00\\xd0\\xf4/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xf4/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4605a5", "parentcaller": "0x7ff79a464e15", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf5/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf5/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4605cc", "parentcaller": "0x7ff79a464e15", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x96k\\x00\\x00\\xa0\\xf4/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x86R\\x00\\x00\\xa8\\xf4/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4606a0", "parentcaller": "0x7ff79a464e15", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf5/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf5/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a46060c", "parentcaller": "0x7ff79a464e15", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x96k\\x00\\x00\\xa0\\xf4/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x86R\\x00\\x00\\xa8\\xf4/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a46064e", "parentcaller": "0x7ff79a464e15", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf5/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf5/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4655e1", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Command Processor" }, { "name": "Handle", "value": "0x00000220" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a46562a", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "ValueName", "value": "DisableUNCCheck" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a46566e", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "ValueName", "value": "EnableExtensions" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4656c5", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "ValueName", "value": "DelayedExpansion" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a465709", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "ValueName", "value": "DefaultColor" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a465760", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "ValueName", "value": "CompletionChar" }, { "name": "Data", "value": "9" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4657d6", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "ValueName", "value": "PathCompletionChar" }, { "name": "Data", "value": "9" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a465869", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "ValueName", "value": "AutoRun" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a465882", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4655e1", "parentcaller": "0x7ff79a464e35", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Command Processor" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a46589d", "parentcaller": "0x7ff79a464e35", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 39 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4658ac", "parentcaller": "0x7ff79a464e35", "category": "misc", "api": "srand", "status": true, "return": "0x00000000", "arguments": [ { "name": "seed", "value": "0x6a4301c5" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a464e3c", "parentcaller": "0x7ff79a463931", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x244ab5622b0", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\"" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ad057000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a464e88", "parentcaller": "0x7ff79a463931", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x244ab5622b0", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\"" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2a0000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2a0000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2b1000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2c1000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a463e85", "parentcaller": "0x7ff79a4624ca", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a31", "parentcaller": "0x7ff79a463ec7", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244ab582080", "arguments": [ { "name": "FileName", "value": "C:\\Users" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a4e", "parentcaller": "0x7ff79a463ec7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a31", "parentcaller": "0x7ff79a463ec7", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244ab582bc0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh" }, { "name": "FirstCreateTimeLow", "value": "0xeedf2ef8" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a4e", "parentcaller": "0x7ff79a463ec7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a31", "parentcaller": "0x7ff79a463ec7", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244ab5823e0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData" }, { "name": "FirstCreateTimeLow", "value": "0xeee3f58c" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a4e", "parentcaller": "0x7ff79a463ec7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a31", "parentcaller": "0x7ff79a463ec7", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244ab582140", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a4e", "parentcaller": "0x7ff79a463ec7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a31", "parentcaller": "0x7ff79a463ec7", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244ab582980", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0xeee655e5" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0776" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a462a4e", "parentcaller": "0x7ff79a463ec7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a463ef0", "parentcaller": "0x7ff79a4624ca", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a45cdc4", "parentcaller": "0x7ff79a45aa92", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ab58e000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a464f9c", "parentcaller": "0x7ff79a463931", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00D\\x02\\x00\\x00\\xd0\\xf4/2o\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xf4/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a465513", "parentcaller": "0x7ff79a46521e", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000409", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 62 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4654c4", "parentcaller": "0x7ff79a464fc1", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2b1000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-06-29 23:37:41,723", "thread_id": "1896", "caller": "0x7ff79a4654c4", "parentcaller": "0x7ff79a464fc1", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ad05b000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a4654c4", "parentcaller": "0x7ff79a464fc1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ad05b000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a464fff", "parentcaller": "0x7ff79a463931", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00D\\x02\\x00\\x00 \\xf5/2o\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x0eN\\x00\\x00(\\xf5/2o\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xd0BX\\xabD\\x02\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a4650f9", "parentcaller": "0x7ff79a463931", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a465116", "parentcaller": "0x7ff79a463931", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "CopyFileExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3f06c0" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a465137", "parentcaller": "0x7ff79a463931", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "IsDebuggerPresent" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aa3f01b0" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a465151", "parentcaller": "0x7ff79a463931", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ff9aa3d0000" }, { "name": "FunctionName", "value": "SetConsoleInputExeNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a8499ae0" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a46517c", "parentcaller": "0x7ff79a463931", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ad056000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a46517c", "parentcaller": "0x7ff79a463931", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ad05c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45bea1", "parentcaller": "0x7ff79a4639f4", "category": "system", "api": "FindFixAndRun", "status": true, "return": "0x00000000", "arguments": [ { "name": "Command", "value": "start" }, { "name": "Arguments", "value": " /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\"" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45c665", "parentcaller": "0x7ff79a45bea1", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xf0/2o\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\xa8\\xf0/2o\\x00\\x00\\x00\\x08\\x02\\x00\\x00D\\x02\\x00\\x00\\xb0\\xf3/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2b1000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ad056000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2d1000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2d6000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2db000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2e0000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2e5000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a469a8c", "parentcaller": "0x7ff79a469342", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2ea000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45cdc4", "parentcaller": "0x7ff79a460c97", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ab593000" }, { "name": "RegionSize", "value": "0x00020000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a468287", "parentcaller": "0x7ff79a462f56", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x244ab582a40", "arguments": [ { "name": "FileName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4" }, { "name": "FirstCreateTimeLow", "value": "0x7cf40219" }, { "name": "FirstCreateTimeHigh", "value": "0x01dd0812" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a463a5d", "parentcaller": "0x7ff79a462fe0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a461170", "parentcaller": "0x7ff79a455ea6", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2e9000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a456019", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "UpdateProcThreadAttribute", "status": false, "return": "0x00000001", "arguments": [ { "name": "Attribute", "value": "393217" }, { "name": "Value", "value": "309237645313" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45608f", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtCreateUserProcess", "status": false, "return": "0xffffffffc000012f", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4" }, { "name": "CommandLine", "value": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\" " }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45608f", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "CreateProcessInternalW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ApplicationName", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4" }, { "name": "CommandLine", "value": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\" " }, { "name": "CreationFlags", "value": "0x00080410", "pretty_value": "CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "0" }, { "name": "ThreadId", "value": "0" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 89 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1896" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000210" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000020c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000210" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000020c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a603f000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a6035000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ff9a6030000" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ff9a6030000" }, { "name": "InitRoutine", "value": "0x7ff9a6033f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000224" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000224" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00083000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8768000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ff9a8700000" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000208" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000208" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000208" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000208" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000208" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000208" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000208" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000228" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000228" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x9fE\\x8fO\\xa2r7\\x15S\\x9b?Wq\r\\xe4\t\\xfb\\x16\\xbfC\\xf02d\\x9eWaM\\xa2|z\\xdf\\x103\\xbck\\xbe=\\x8b\\xbb6\\xd8\\x08r\\xf8\\x90+w\\xe5" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ff9a8700000" }, { "name": "InitRoutine", "value": "0x7ff9a8738cc0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9d12000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a99e2000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-06-29 23:37:41,738", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ff9a5b50000" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a5b50000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a5b50000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a5b57ce0" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 145 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdc/2o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000238" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000234" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a45662e", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a456649", "parentcaller": "0x7ff79a4564ba", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe9/2o\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00X\\xe9/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a465aa5", "parentcaller": "0x7ff79a456686", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xe9/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xe9/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a456686", "parentcaller": "0x7ff79a4564ba", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00\\x90\\xe9/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x98\\xe9/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a4566b7", "parentcaller": "0x7ff79a4564ba", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00o\\x00\\x00\\x00P\\xe9/2o\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xe9/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a468b32", "parentcaller": "0x7ff79a4699d7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff79a4ac000" }, { "name": "ModuleName", "value": "cmd.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-06-29 23:37:41,754", "thread_id": "1896", "caller": "0x7ff79a468b32", "parentcaller": "0x7ff79a4699d7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff79a4ac000" }, { "name": "ModuleName", "value": "cmd.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-06-29 23:37:41,770", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32" }, { "name": "DllBase", "value": "0x7ff994050000" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-06-29 23:37:41,770", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ff994050000" } ], "repeated": 1, "id": 160 }, { "timestamp": "2026-06-29 23:37:41,770", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SHCORE" }, { "name": "DllBase", "value": "0x7ff9a9d30000" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-06-29 23:37:41,770", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 162 }, { "timestamp": "2026-06-29 23:37:41,770", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\Wldp" }, { "name": "DllBase", "value": "0x7ff9a7a90000" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-06-29 23:37:41,770", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x7ff9a6230000" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-06-29 23:37:41,785", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\PROPSYS" }, { "name": "DllBase", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-06-29 23:37:41,785", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa3d0000" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-06-29 23:37:41,785", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ff9a9600000" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-06-29 23:37:41,801", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" }, { "name": "BaseAddress", "value": "0x7ff9a2720000" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-06-29 23:37:41,801", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 169 }, { "timestamp": "2026-06-29 23:37:41,817", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 8, "id": 170 }, { "timestamp": "2026-06-29 23:37:41,832", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\profapi" }, { "name": "DllBase", "value": "0x7ff9a8050000" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-06-29 23:37:41,832", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 10, "id": 172 }, { "timestamp": "2026-06-29 23:37:41,832", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.Storage.dll" }, { "name": "BaseAddress", "value": "0x7ff9a6230000" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-06-29 23:37:41,848", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0E5AAE11-A475-4C5B-AB00-C66DE400274E" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ADD8BA80-002B-11D0-8F0F-00C04FD7D062" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-06-29 23:37:41,848", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 175 }, { "timestamp": "2026-06-29 23:37:41,848", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "76765B11-3F95-4AF2-AC9D-EA55D8994F1A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-06-29 23:37:41,848", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "BaseAddress", "value": "0x7ff9a6230000" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-06-29 23:37:41,848", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4DF0C730-DF9D-4AE3-9153-AA6B82E9795A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8BE2D872-86AA-4D47-B776-32CCA40C7018" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-06-29 23:37:41,926", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 17, "id": 179 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00`\\xeb\\x9f2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xeb\\x9f2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 181 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x244ab560b50" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaaae327", "parentcaller": "0x7ff9aaa0faf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa05157", "parentcaller": "0x7ff9aaa043ea", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CFGMGR32.dll" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa04d42", "parentcaller": "0x7ff9aaa04aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000384" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8110000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0004e000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aa9ffee4", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a815b000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aa9fffb5", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8149000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 188 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aa9fffed", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8149000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa00068", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8149000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa0009c", "parentcaller": "0x7ff9aa9ffad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8149000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa05082", "parentcaller": "0x7ff9aaa079d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8148000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 193 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa37b9c", "parentcaller": "0x7ff9aaa2288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a8148000" }, { "name": "ModuleName", "value": "CFGMGR32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa37b9c", "parentcaller": "0x7ff9aaa2288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CFGMGR32" }, { "name": "DllBase", "value": "0x7ff9a8110000" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a8114cdf", "parentcaller": "0x7ff9a8123b0d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000384" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\DeviceApi\\CMApi" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a8114cdf", "parentcaller": "0x7ff9a8123b0d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\cfgmgr32" }, { "name": "BaseAddress", "value": "0x7ff9a8110000" }, { "name": "InitRoutine", "value": "0x7ff9a8123280" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a699a000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a699a000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aa3e5611", "parentcaller": "0x7ff9a811f8f8", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000384" }, { "name": "IoControlCode", "value": "0x00470807" }, { "name": "InBuffer", "value": "(\\x00\\x00\\x00\\x00\\x00\\x01\\x00\rc\\xf5S\\xbf\\xb6\\xd0\\x11\\x94\\xf2\\x00\\xa0\\xc9\\x1e\\xfb\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00#\\x00\\x00\\xc0\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9aa3e5611", "parentcaller": "0x7ff9a811ec21", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000384" }, { "name": "IoControlCode", "value": "0x00470807" }, { "name": "InBuffer", "value": "(\\x00\\x00\\x00\\x00\\x00\\x01\\x00\rc\\xf5S\\xbf\\xb6\\xd0\\x11\\x94\\xf2\\x00\\xa0\\xc9\\x1e\\xfb\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a638acb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000039c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003a0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 203 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" }, { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "932", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xed\\xaf2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xed\\xaf2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "932", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 206 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "932", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x244ab560b50" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "932", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ab5ce000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "932", "caller": "0x7ff9a63ca6d1", "parentcaller": "0x7ff9a63b12d5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{1c192ddb-7371-11f1-9cd4-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a638ad1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x0000039c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000039c" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-100000000000}\\" }, { "name": "Handle", "value": "0x000003a4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\xc4\\xd8c\\xf2\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x000003a4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\edputil" }, { "name": "DllBase", "value": "0x7ff993730000" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "932", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a63b139f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a638acb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000039c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003a4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 223 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" }, { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "932", "caller": "0x7ff9a63ca6d1", "parentcaller": "0x7ff9a63b12d5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{1c192ddb-7371-11f1-9cd4-806e6f6e6963}#0000000003300000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a638ad1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a63b139f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x000003a4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003a4" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x0000039c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00o\\xb6d\\x1c\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x0000039c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000039c" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x000003a4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a638acb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000003a4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000039c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 239 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a638acfc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" }, { "name": "Milliseconds", "value": "1000" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "932", "caller": "0x7ff9a63ca6d1", "parentcaller": "0x7ff9a63b12d5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{1c192ddb-7371-11f1-9cd4-806e6f6e6963}#00000008E0100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a638ad1a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x000003a4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003a4" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-10e008000000}\\" }, { "name": "Handle", "value": "0x000003b0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\xd9T\\x98P\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x008\\x00E\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a6ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63acca6", "parentcaller": "0x7ff9a63a8fe3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x000003b0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-06-29 23:37:41,942", "thread_id": "4612", "caller": "0x7ff9a63a901f", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003b0" }, { "name": "SubKey", "value": "{e1e1ae7a-0000-0000-0000-10e008000000}\\" }, { "name": "Handle", "value": "0x000003a4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a63a9047", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a9d4bdab", "parentcaller": "0x7ff9a9d4bc22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a63a908b", "parentcaller": "0x7ff9a638a72d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af0d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af6d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af0d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000003a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a8474f8d", "parentcaller": "0x7ff9a638af0d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af6d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000003a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a8474f8d", "parentcaller": "0x7ff9a638af6d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a846b0fb", "parentcaller": "0x7ff9a6361f1d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003a4" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845ac4b", "parentcaller": "0x7ff9a6362e6f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10\\xf0\\\\xabD\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a6361f41", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a030", "parentcaller": "0x7ff9a8459d56", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af0d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x00e\\x000\\x000\\x008\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a8474dfe", "parentcaller": "0x7ff9a638af6d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000003a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x001\\x00e\\x001\\x00a\\x00e\\x007\\x00a\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x00e\\x000\\x000\\x008\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a8474e0e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a4" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "932", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a63b139f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000003c8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x244ab5c33e0" }, { "name": "CreateFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "960" }, { "name": "ProcessId", "value": "4120" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "960", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00`\\xed\\xbf2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xed\\xbf2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "960", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 279 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "960", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a977adb0" }, { "name": "Parameter", "value": "0x244ab5c33e0" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "932", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003d0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000003ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff9a9d45960" }, { "name": "Parameter", "value": "0x244ad05ce90" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "3892" }, { "name": "ProcessId", "value": "4120" }, { "name": "Module", "value": "SHCORE.dll" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xed\\xcf2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xed\\xcf2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 284 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9a9d45960" }, { "name": "Parameter", "value": "0x244ad05ce90" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a8498cfe", "parentcaller": "0x7ff9a9d79042", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x112o\\x00\\x00\\x00\\x18\\x10\\x00\\x00\\x00\\x00\\x00\\x004\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3892" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a280f000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a280f000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a280f000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9aaa37871", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a280f000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ab5dd000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a9777d31", "parentcaller": "0x7ff9a972de55", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\WindowsRuntime" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a972ddb2", "parentcaller": "0x7ff9a972d0f2", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003f0" }, { "name": "ObjectAttributesName", "value": "ActivatableClassId" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a97708cd", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003f4" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.FileTypeAssociation" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a9770927", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003f8" }, { "name": "KeyInformation", "value": "y\\x1f\\x10\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00h\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00F\\x00i\\x00l\\x00e\\x00T\\x00y\\x00p\\x00e\\x00A\\x00s\\x00s\\x00o\\x00c\\x00i\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\x19\\x01\\x02\\x00D\\x02\\x00\\x00\\xffc9\r\\xffd4'\\xff96k\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\xfff8\\xffea\\xffcf2o\\x00\\x00\\x00Y\\x0e\\xffd4'\\xff96k\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff85X\\xffabD\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\x19\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xffbb\\\\xffabD\\x02\\x00\\x00@\\xffeb\\xffcf2o\\x00\\x00\\x00\\xffa4L\\xffb5\\xff87\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xfff0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xffb9\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffcd$\\xffd8\\xff87\\xfff9\\x7f\\x00\\x00\\xffe8#\\xffd8\\xff87\\xfff9\\x7f\\x00\\x00\\x00\\xffbb\\\\xffabD\\x02\\x00\\x00\\xffc8\\xffd5\\xffd7\\xff87\\xfff9\\x7f\\x00\\x00\\x19\\x01\\x02\\x00D\\x02\\x00\\x00\\xff98$\\xffd8\\xff87\\xfff9\\x7f\\x00\\x00\\xfff0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff80$\\xffd8\\xff87\\xfff9\\x7f\\x00\\x000\\xffeb\\xffcf2o\\x00\\x00\\x00h\\xffd9\\xffd7\\xff87\\xfff9\\x7f\\x00\\x00@\\xffeb\\xffcf2o\\x00\\x00\\x00\\x00\\xffbf\\\\xffabD\\x02\\x00\\x00\\xffc0\\xffddr\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00D\\x02\\x00\\x00\\xffc0\\xffec\\xffcf2o\\x00\\x00\\x00\\x00\\xffbb\\\\xffabD\\x02\\x00\\x00\\x00\\xff85X\\xffabD\\x02\\x00\\x00\\x10\\xff8b\\\\xffabD\\x02\\x00\\x00\\xffd76p\\xffa9\\xfff9\\x7f\\x00\\x00$\\x00&\\x00\\x00\\x00\\x00\\x00\\x1c\\xffbf\\\\xffabD\\x02\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x03\\x00\\x00\\x00\\x00\\x00\\x000\\xffeb\\xffcf2o\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0.\\\\xffabD\\x02\\x00\\x00\\xfff2\\xffd0r\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivationType" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Server" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97807bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\DllPath" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Threading" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\TrustLevel" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a97356ac", "parentcaller": "0x7ff9a979b1b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000003f8" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\CustomAttributes" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\RemoteServer" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateAsUser" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-06-29 23:37:41,957", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInSharedBroker" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9774022", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Permissions" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003f8" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateOnHostFlags" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a975e0c4", "parentcaller": "0x7ff9aaa338b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE\\Diagnosis" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a972ddb2", "parentcaller": "0x7ff9a972d0f2", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003a8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003f0" }, { "name": "ObjectAttributesName", "value": "Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a97708cd", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003a8" }, { "name": "ObjectAttributesName", "value": "StateRepository" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a9770927", "parentcaller": "0x7ff9a972dd38", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003ac" }, { "name": "KeyInformation", "value": "\\xffcek|\\xffd3\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00\\x00\\x00t\\xffb0=\\xffadD\\x02\\x00\\x000\\x19\\xffe3\\xff87\\xfff9\\x7f\\x00\\x00\\xffb2\\xffddr\\xffa9\\xfff9\\x7f\\x00\\x00\\xffe9N\\xffb3\\xff87\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd9\\xffe6\\xffcf2o\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00D\\x02\\x00\\x00\\xffa0\\x14C\\xffabD\\x02\\x00\\x009\t\\xffd4'\\xff96k\\x00\\x00\\x00\\x00C\\xffabD\\x02\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00H\\xffe7\\xffcf2o\\x00\\x00\\x00\\xff89\\x0b\\xffd4'\\xff96k\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\xffb9\\\\xffabD\\x02\\x00\\x00X\\xff9fY\\xffabD\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x01\\x02\\x00\\x00\\x00\\x00\\x00@\\xffbc\\\\xffabD\\x02\\x00\\x00\\xff90\\xffe7\\xffcf2o\\x00\\x00\\x00\\xffa4L\\xffb5\\xff87\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xffb9\\x00\\xffe5j\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffcd$\\xffd8\\xff87\\xfff9\\x7f\\x00\\x00\\xffe8#\\xffd8\\xff87\\xfff9\\x7f\\x00\\x00@\\xffbc\\\\xffabD\\x02\\x00\\x00\\xffc8\\xffd5\\xffd7\\xff87\\xfff9\\x7f\\x00\\x00\\x19\\x01\\x02\\x00D\\x02\\x00\\x00\\xff98$\\xffd8\\xff87\\xfff9\\x7f\\x00\\x00\\xfff0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff80$\\xffd8\\xff87\\xfff9\\x7f\\x00\\x00\\xff80\\xffe7\\xffcf2o\\x00\\x00\\x00h\\xffd9\\xffd7\\xff87\\xfff9\\x7f\\x00\\x00\\xff90\\xffe7\\xffcf2o\\x00\\x00\\x00\\xffe0+\\\\xffabD\\x02\\x00\\x00\\xffc0\\xffddr\\xffa9\\xfff9\\x7f\\x00\\x00\\x00\\x00\\x00\\x00D\\x02\\x00\\x00\\xff90\\xffe9\\xffcf2o\\x00\\x00\\x00@\\xffbc\\\\xffabD\\x02\\x00\\x00\\xffb0\\xffb9\\\\xffabD\\x02\\x00\\x00\\xffe0+\\\\xffabD\\x02\\x00\\x00\\x00\\x00\\x00\\x00o\\x00\\x00\\x00\\x0c\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\xfffc+\\\\xffabD\\x02\\x00\\x000\\x00\\x00\\x00D\\x02\\x00\\x00\\xfff0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffe7\\xffcf2o\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`-\\\\xffabD\\x02\\x00\\x00\\xfff2\\xffd0r\\xffa9\\xfff9\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97807bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ExePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97807bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "CommandLine" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "IdentityType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9774022", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x000000ea", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Type", "value": "0x7ff900000003" }, { "name": "DataLength", "value": "184" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9774022", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Data", "value": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a9789d40", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ActivatableClasses" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ServerType" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "AppId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "Identity" }, { "name": "Data", "value": "nt authority\\system" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a975ae1b", "parentcaller": "0x7ff9a97792f0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ServiceName" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a976d862", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003ac" }, { "name": "ValueName", "value": "ExplicitPsmActivationType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a97356ac", "parentcaller": "0x7ff9a979b1b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000003ac" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a976ab76", "parentcaller": "0x7ff9a976f113", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ac" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a976ab76", "parentcaller": "0x7ff9a976f113", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003fc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a9c32140", "parentcaller": "0x7ff9a9c31ddd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 327 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ab5e0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8462d8a", "parentcaller": "0x7ff9a96cfb64", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfb82", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoGetMarshalSizeMax" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9760fc0" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfb9f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfbbc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a96cfbd9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ab5e1000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a96d879f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000408" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a84a518d", "parentcaller": "0x7ff9a84646e4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af7e0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8462338", "parentcaller": "0x7ff9a84a9215", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8464b01", "parentcaller": "0x7ff9a84642d1", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 338 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a8464cf6", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a84a518d", "parentcaller": "0x7ff9a8464c2a", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af7f0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8464cad", "parentcaller": "0x7ff9a8464c5d", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040c" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a978516f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e8d00" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785199", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96e67a0" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a97851c3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9747c50" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a97851ed", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9768bb0" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785217", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a9767040" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a9785241", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a96dc030" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a978526b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a96b0000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a970b8c0" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a978507f", "parentcaller": "0x7ff9aaa338b0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a96e6f09", "parentcaller": "0x7ff9a976771d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9aa9fe715", "parentcaller": "0x7ff9aa9fe37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ab5e3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}" }, { "name": "Handle", "value": "0x00000412" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a9768313", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000412" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000416" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a976834e", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a9768377", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a9768388", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000024a" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x00000412" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xba\\xcf2o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x12\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00o\\x00\\x00\\x00\\x90\\xbb\\xcf2o\\x00\\x00\\x00" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000412" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000412" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-06-29 23:37:41,973", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000412" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000416" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xb9\\xcf2o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x12\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00o\\x00\\x00\\x00 \\xba\\xcf2o\\x00\\x00\\x00" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000412" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xb9\\xcf2o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x12\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00o\\x00\\x00\\x00 \\xba\\xcf2o\\x00\\x00\\x00" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000412" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 387 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a97295e4", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000024a" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x00000412" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xb7\\xcf2o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x12\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00o\\x00\\x00\\x00P\\xb8\\xcf2o\\x00\\x00\\x00" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000412" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a97740e1", "parentcaller": "0x7ff9a972968d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9729c65", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000412" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a9729ef5", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000412" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000416" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a17d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972a22c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a972ac16", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a9729fcf", "parentcaller": "0x7ff9a9729d0e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xb5\\xcf2o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x12\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00o\\x00\\x00\\x00\\xe0\\xb6\\xcf2o\\x00\\x00\\x00" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000412" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xb5\\xcf2o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x12\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00o\\x00\\x00\\x00\\xe0\\xb6\\xcf2o\\x00\\x00\\x00" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000412" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a972ae1c", "parentcaller": "0x7ff9a9728039", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000412" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845e482", "parentcaller": "0x7ff9a9728085", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000412" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8460827", "parentcaller": "0x7ff9a845fb22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d754", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9aaa26c8b", "parentcaller": "0x7ff9a845d7e0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xb5\\xcf2o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\x93\\x84x\\xc2/\\x8a\\x97\tv\\xbf\\xb4\\x82\\xea\\x03\\x00\\x00\\xf9\\x7f\\x00\\x00\\xe8#\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x12\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\xd8\\x87\\xf9\\x7f\\x00\\x00\\x04\\x00\\x00\\x00o\\x00\\x00\\x00 \\xb6\\xcf2o\\x00\\x00\\x00" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845d8e8", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3262678163-160926255-2192883574-1002_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845fd34", "parentcaller": "0x7ff9a845da04", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000412" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845da22", "parentcaller": "0x7ff9a845fb59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000412" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a972b02a", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000024a" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x00000416" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a972b061", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000416" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a972b0c5", "parentcaller": "0x7ff9a9729e28", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a9729a80", "parentcaller": "0x7ff9a96eae14", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x00000412" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a970953c", "parentcaller": "0x7ff9a970806b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000412" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a9708090", "parentcaller": "0x7ff9a96dace7", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 433 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-06-29 23:37:41,988", "thread_id": "3892", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS" }, { "name": "DllBase", "value": "0x7ff9a1300000" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll" }, { "name": "BaseAddress", "value": "0x7ff9a1300000" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a845ae12", "parentcaller": "0x7ff9a972d475", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff9a1300000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3d7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a1300000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a1307340" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d3f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a1300000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a8470741", "parentcaller": "0x7ff9a972d410", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a1300000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9a1307380" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" }, { "name": "Handle", "value": "0x00000412" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a9768313", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000412" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000416" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a976834e", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a9768377", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000416" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a9768388", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a96de87e", "parentcaller": "0x7ff9a96de27f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 446 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9aaa26798", "parentcaller": "0x7ff9a84952e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000410" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9aaa267b9", "parentcaller": "0x7ff9a84952e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a9c32140", "parentcaller": "0x7ff9a9c31ddd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 449 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9aaa33f6a", "parentcaller": "0x7ff9a9bff557", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a97092aa", "parentcaller": "0x7ff9a97090af", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}" }, { "name": "Handle", "value": "0x0000041a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a9768313", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000041a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000041e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a976834e", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a9768377", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041e" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a9768388", "parentcaller": "0x7ff9a96e293b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041a" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 456 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a8451a8e", "parentcaller": "0x7ff9a9766a91", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9a8498cfe", "parentcaller": "0x7ff9a9d476bf", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x112o\\x00\\x00\\x00\\x18\\x10\\x00\\x00\\x00\\x00\\x00\\x004\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3892" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x7ff9aaa37820", "parentcaller": "0x7ff9aaa220f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "3892", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a9dd7000" }, { "name": "ModuleName", "value": "SHCORE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.UI.AppDefaults" }, { "name": "DllBase", "value": "0x7ff9903b0000" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.UI.AppDefaults.dll" }, { "name": "BaseAddress", "value": "0x7ff9903b0000" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-06-29 23:37:42,004", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ff994050000" } ], "repeated": 1, "id": 463 }, { "timestamp": "2026-06-29 23:37:42,020", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-06-29 23:37:42,051", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 465 }, { "timestamp": "2026-06-29 23:37:42,082", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\iertutil" }, { "name": "DllBase", "value": "0x7ff99f680000" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-06-29 23:37:42,082", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\srvcli" }, { "name": "DllBase", "value": "0x7ff99f650000" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-06-29 23:37:42,082", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\netutils" }, { "name": "DllBase", "value": "0x7ff9a75f0000" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-06-29 23:37:42,082", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\urlmon" }, { "name": "DllBase", "value": "0x7ff99f930000" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-06-29 23:37:42,082", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 5, "id": 470 }, { "timestamp": "2026-06-29 23:37:42,082", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa760000" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-06-29 23:37:42,098", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ff9a7200000" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-06-29 23:37:42,098", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ff9a35e0000" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-06-29 23:37:42,113", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\urlmon.dll" }, { "name": "BaseAddress", "value": "0x7ff99f930000" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-06-29 23:37:42,113", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "79EAC9EE-BAF9-11CE-8C82-00AA004BA90B" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-06-29 23:37:42,113", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "API-MS-WIN-CORE-URL-L1-1-0.DLL" }, { "name": "BaseAddress", "value": "0x7ff9a8430000" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-06-29 23:37:42,113", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 477 }, { "timestamp": "2026-06-29 23:37:42,129", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ff9a8a40000" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-06-29 23:37:42,129", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\apphelp" }, { "name": "DllBase", "value": "0x7ff9a5a30000" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-06-29 23:37:42,129", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-06-29 23:37:42,129", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 481 }, { "timestamp": "2026-06-29 23:37:42,942", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-06-29 23:37:42,942", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub" }, { "name": "DllBase", "value": "0x7ff99eea0000" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-06-29 23:37:42,942", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "BaseAddress", "value": "0x7ff99eea0000" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-06-29 23:37:42,957", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "ED1D0FDF-4414-470A-A56D-CFB68623FC58" }, { "name": "ClsContext", "value": "0x00000017", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "riid", "value": "7F9185B0-CB92-43C5-80A9-92277A4F7B54" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-06-29 23:37:42,957", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 486 }, { "timestamp": "2026-06-29 23:37:42,957", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\wintypes" }, { "name": "DllBase", "value": "0x7ff9a4dc0000" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-06-29 23:37:42,957", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "BaseAddress", "value": "0x7ff9a4dc0000" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-06-29 23:37:42,973", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F1C46D71-B791-4110-8D5C-7108F22C1010" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8A43ED9F-F4E6-4421-ACF9-1DAB2986820C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-06-29 23:37:42,973", "thread_id": "1896", "caller": "0x7ff79a457989", "parentcaller": "0x7ff79a4566e5", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "BaseAddress", "value": "0x7ff9a4dc0000" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-06-29 23:37:42,973", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ff9a8a40000" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-06-29 23:37:42,973", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 492 }, { "timestamp": "2026-06-29 23:37:42,988", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\RTWorkQ" }, { "name": "DllBase", "value": "0x7ff991500000" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-06-29 23:37:42,988", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\mfmp4srcsnk" }, { "name": "DllBase", "value": "0x7ff986060000" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-06-29 23:37:42,988", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mfmp4srcsnk.dll" }, { "name": "BaseAddress", "value": "0x7ff986060000" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-06-29 23:37:43,004", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-06-29 23:37:43,004", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SHCore.dll" }, { "name": "BaseAddress", "value": "0x7ff9a9d30000" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-06-29 23:37:43,004", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E2EB4CA4-C96E-4DA4-94B1-673C8334A5BB" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "265CFCAA-9B0C-44CA-996F-4A6F6620C72D" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-06-29 23:37:43,020", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MFPlat" }, { "name": "DllBase", "value": "0x7ff990d80000" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "932", "caller": "0x7ff9aaa44909", "parentcaller": "0x7ff9aaa4362d", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000050c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "932", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "932" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "4612", "caller": "0x7ff9aaa44909", "parentcaller": "0x7ff9aaa4362d", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000005b8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "4612", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4612" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "4612", "caller": "0x7ff9aaa4ea52", "parentcaller": "0x7ff9aaa074ed", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 504 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "932", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f032", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d0" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "932", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f0f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "932", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f032", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b4" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "4612", "caller": "0x7ff9a845a3c5", "parentcaller": "0x7ff9a9c4f0f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004b0" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "4612", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "4972", "caller": "0x7ff9aaa44909", "parentcaller": "0x7ff9aaa4362d", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000005b8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "4972", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4972" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "4972", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "3944", "caller": "0x7ff9aaa44909", "parentcaller": "0x7ff9aaa4362d", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000005bc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "3944", "caller": "0x7ff9aaa4461e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3944" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-06-29 23:37:43,051", "thread_id": "3944", "caller": "0x7ff9aaa4463e", "parentcaller": "0x7ff9aaa436e8", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-06-29 23:37:43,067", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CDC82860-468D-4D4E-B7E7-C298FF23AB2C" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "5632B1A4-E38A-400A-928A-D4CD63230295" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-06-29 23:37:43,067", "thread_id": "4932", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf2?2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf2?2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-06-29 23:37:43,067", "thread_id": "4932", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 519 }, { "timestamp": "2026-06-29 23:37:43,067", "thread_id": "4932", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x244ab560b50" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-06-29 23:37:43,067", "thread_id": "4932", "caller": "0x7ff9a84801fc", "parentcaller": "0x7ff9a9c24a33", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000005cc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-06-29 23:37:43,082", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\oleaut32.dll" }, { "name": "BaseAddress", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-06-29 23:37:43,082", "thread_id": "3588", "caller": "0x7ff9a8441751", "parentcaller": "0x7ff9a8441420", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xebO2o\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xebO2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-06-29 23:37:43,082", "thread_id": "3588", "caller": "0x7ff9aaa64f9d", "parentcaller": "0x7ff9aaa64b63", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 524 }, { "timestamp": "2026-06-29 23:37:43,082", "thread_id": "3588", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff9aaa42ad0" }, { "name": "Parameter", "value": "0x244ab560b50" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-06-29 23:37:43,082", "thread_id": "4932", "caller": "0x7ff9a971c698", "parentcaller": "0x7ff9a97a8e25", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000e0498" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-06-29 23:37:43,098", "thread_id": "1896", "caller": "0x7ff79a4566e5", "parentcaller": "0x7ff79a4564ba", "category": "process", "api": "ShellExecuteExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "FilePath", "value": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4" }, { "name": "Parameters", "value": "" }, { "name": "Show", "value": "1", "pretty_value": "SW_SHOWNORMAL" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-06-29 23:37:43,098", "thread_id": "1896", "caller": "0x7ff79a456713", "parentcaller": "0x7ff79a4564ba", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a456713", "parentcaller": "0x7ff79a4564ba", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ff9a9530000" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a45617a", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2e1000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a45618e", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2e1000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a4561a2", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2d9000" }, { "name": "RegionSize", "value": "0x0000f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a4561b6", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2d9000" }, { "name": "RegionSize", "value": "0x0000f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a4561ca", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2d1000" }, { "name": "RegionSize", "value": "0x00017000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a456204", "parentcaller": "0x7ff79a45c862", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2d1000" }, { "name": "RegionSize", "value": "0x00017000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a4605a5", "parentcaller": "0x7ff79a46398b", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x96k\\x00\\x000\\xf6/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x008\\xf6/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a4605cc", "parentcaller": "0x7ff79a46398b", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00P\\xf5/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x86R\\x00\\x00X\\xf5/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a4606a0", "parentcaller": "0x7ff79a46398b", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xf6/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x008\\xf6/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a46060c", "parentcaller": "0x7ff79a46398b", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00D\\x02\\x00\\x00P\\xf5/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x86R\\x00\\x00X\\xf5/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a46064e", "parentcaller": "0x7ff79a46398b", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xf6/2o\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xf7\\x7f\\x00\\x008\\xf6/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a463992", "parentcaller": "0x7ff79a468ecd", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf5/2o\\x00\\x00\\x00\\x08\\x00\\x00\\x00o\\x00\\x00\\x00\\x88\\xf5/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a4639b3", "parentcaller": "0x7ff79a468ecd", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000044" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xf2/2o\\x00\\x00\\x00\\x08\\x00\\x00\\x00o\\x00\\x00\\x00\\xc8\\xf2/2o\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "mscoree.dll" }, { "name": "ModuleHandle", "value": "0x528600000000" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-06-29 23:37:43,113", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004cc" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d0" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d4" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e0" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e8" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f4" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f8" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b4" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtUpdateWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa90710" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004bc" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c0" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000490" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000049c" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000448" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af2a1000" }, { "name": "RegionSize", "value": "0x00047000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ad056000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000494" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af810000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000488" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000480" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000043c" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000438" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000045c" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000440" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000410" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000430" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000454" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000450" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044c" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000444" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244ad000000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000240" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a0" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d4" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "NtUpdateWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa90710" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af800000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042c" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000278" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a0" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000390" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af450000" }, { "name": "RegionSize", "value": "0x00028000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244acfd0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244af480000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x244acfe0000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023c" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000208" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000020c" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d0" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d4" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001cc" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001bc" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000019c" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a0" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000198" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000180" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000184" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000188" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000018c" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000190" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000194" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff9a93b0000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000178" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000017c" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000174" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000408" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000154" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000015c" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000160" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000164" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000168" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000170" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000016c" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000134" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000138" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000130" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c4" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-06-29 23:37:43,176", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000012c" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000124" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000128" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000120" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000011c" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000118" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024a" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a8" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000104" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000ec" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f0" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f4" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f8" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000fc" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000100" } ], "repeated": 0, "id": 699 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000010c" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000108" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e8" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e0" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e4" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000cc" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-06-29 23:37:43,192", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000c4" } ], "repeated": 0, "id": 708 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000009c" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a0" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a4" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000000a4" }, { "name": "ValueName", "value": "DisableMetaFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a4" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000000a4" }, { "name": "ValueName", "value": "DisableUmpdBufferSizeCheck" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a4" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000098" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000094" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000090" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ff9aa9f0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff9aaa53330" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001c4" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000088" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000068" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000005c" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000060" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000064" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-06-29 23:37:43,207", "thread_id": "1896", "caller": "0x7ff79a464c38", "parentcaller": "0x7ff79a4639c8", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 731 } ], "threads": [ "1896", "2872", "3572", "4500", "3868", "4612", "932", "960", "3892", "4972", "3944", "4932", "3588" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff79a450000", "MainExeSize": "0x00067000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "cmd.exe", "pid": 4120, "parent_id": 2892, "module_path": "C:\\Windows\\System32\\cmd.exe", "children": [], "threads": [ "1896", "2872", "3572", "4500", "3868", "4612", "932", "960", "3892", "4972", "3944", "4932", "3588" ], "environ": { "UserName": "Rajesh", "ComputerName": "DESKTOP-P54VDBR", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "1c64-b66f", "SystemVolumeGUID": "e1e1ae7a-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff79a450000", "MainExeSize": "0x00067000", "Bitness": "64-bit" } } ], "summary": { "files": [ "C:\\Users\\Rajesh\\AppData\\Local\\Temp", "C:\\Users", "C:\\Users\\Rajesh", "C:\\Users\\Rajesh\\AppData", "C:\\Users\\Rajesh\\AppData\\Local", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4", "C:\\Windows\\System32\\kernel.appcore.dll", "\\Device\\CNG", "\\Device\\DeviceApi\\CMApi", "\\??\\MountPointManager" ], "read_files": [], "write_files": [], "delete_files": [], "keys": [ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration", "HKEY_CURRENT_USER", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{89BC3F49-F8D9-5103-BA13-DE497E609167}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" ], "write_keys": [], "delete_keys": [], "executed_commands": [ "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\"", "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4 " ], "resolved_apis": [], "mutexes": [], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,723", "eid": 1, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,723", "eid": 2, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,723", "eid": 3, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,723", "eid": 4, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,723", "eid": 5, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,723", "eid": 6, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar", "content": "9" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,723", "eid": 7, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar", "content": "9" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,723", "eid": 8, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,738", "eid": 9, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "execute", "object": "file", "timestamp": "2026-06-29 23:37:41,738", "eid": 10, "data": { "file": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\" " } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,738", "eid": 11, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,738", "eid": 12, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,738", "eid": 13, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,738", "eid": 14, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,738", "eid": 15, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,738", "eid": 16, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ff9a5b50000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,754", "eid": 17, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,754", "eid": 18, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,770", "eid": 19, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ff994050000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,785", "eid": 20, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa3d0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,801", "eid": 21, "data": { "file": "C:\\Windows\\System32\\propsys.dll", "pathtofile": null, "moduleaddress": "0x7ff9a2720000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,832", "eid": 22, "data": { "file": "C:\\Windows\\System32\\Windows.Storage.dll", "pathtofile": null, "moduleaddress": "0x7ff9a6230000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,848", "eid": 23, "data": { "file": "C:\\Windows\\System32\\windows.storage.dll", "pathtofile": null, "moduleaddress": "0x7ff9a6230000" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,942", "eid": 24, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\xc4\\xd8c\\xf2\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,942", "eid": 25, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,942", "eid": 26, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00o\\xb6d\\x1c\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,942", "eid": 27, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,942", "eid": 28, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\xd9T\\x98P\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x001\\x00c\\x001\\x009\\x002\\x00d\\x00d\\x00b\\x00-\\x007\\x003\\x007\\x001\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x009\\x00c\\x00d\\x004\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x008\\x00E\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,957", "eid": 29, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,957", "eid": 30, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,957", "eid": 31, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,957", "eid": 32, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,957", "eid": 33, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,957", "eid": 34, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,957", "eid": 35, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,957", "eid": 36, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,957", "eid": 37, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 38, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 39, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 40, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.FileTypeAssociation\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 41, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 42, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 43, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 44, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 45, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 46, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 47, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 48, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 49, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "content": "nt authority\\system" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 50, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 51, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:41,973", "eid": 52, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 53, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 54, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,973", "eid": 55, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 56, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 57, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 58, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 59, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 60, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 61, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 62, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 63, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 64, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 65, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 66, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 67, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:41,988", "eid": 68, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,004", "eid": 69, "data": { "file": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll", "pathtofile": null, "moduleaddress": "0x7ff9a1300000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,004", "eid": 70, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:42,004", "eid": 71, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:42,004", "eid": 72, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{89bc3f49-f8d9-5103-ba13-de497e609167}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,004", "eid": 73, "data": { "file": "C:\\Windows\\System32\\Windows.UI.AppDefaults.dll", "pathtofile": null, "moduleaddress": "0x7ff9903b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,004", "eid": 74, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ff994050000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,020", "eid": 75, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,082", "eid": 76, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa760000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,113", "eid": 77, "data": { "file": "C:\\Windows\\System32\\urlmon.dll", "pathtofile": null, "moduleaddress": "0x7ff99f930000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,113", "eid": 78, "data": { "file": "API-MS-WIN-CORE-URL-L1-1-0.DLL", "pathtofile": null, "moduleaddress": "0x7ff9a8430000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,129", "eid": 79, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ff9a8a40000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,129", "eid": 80, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ff9aa9f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,942", "eid": 81, "data": { "file": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", "pathtofile": null, "moduleaddress": "0x7ff99eea0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,957", "eid": 82, "data": { "file": "C:\\Windows\\System32\\WinTypes.dll", "pathtofile": null, "moduleaddress": "0x7ff9a4dc0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,973", "eid": 83, "data": { "file": "C:\\Windows\\System32\\WinTypes.dll", "pathtofile": null, "moduleaddress": "0x7ff9a4dc0000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,973", "eid": 84, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ff9a8a40000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:42,988", "eid": 85, "data": { "file": "C:\\Windows\\System32\\mfmp4srcsnk.dll", "pathtofile": null, "moduleaddress": "0x7ff986060000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,004", "eid": 86, "data": { "file": "C:\\Windows\\System32\\SHCore.dll", "pathtofile": null, "moduleaddress": "0x7ff9a9d30000" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,082", "eid": 87, "data": { "file": "C:\\Windows\\System32\\oleaut32.dll", "pathtofile": null, "moduleaddress": "0x7ff9a9530000" } }, { "event": "execute", "object": "file", "timestamp": "2026-06-29 23:37:43,098", "eid": 88, "data": { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4" } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,113", "eid": 89, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,113", "eid": 90, "data": { "file": "mscoree.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,176", "eid": 91, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,176", "eid": 92, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,176", "eid": 93, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,176", "eid": 94, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,176", "eid": 95, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,176", "eid": 96, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,176", "eid": 97, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,176", "eid": 98, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,176", "eid": 99, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:43,207", "eid": 100, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-06-29 23:37:43,207", "eid": 101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,207", "eid": 102, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-06-29 23:37:43,207", "eid": 103, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } } ], "encryptedbuffers": [], "network_map": { "endpoint_map": {}, "http_host_map": {}, "dns_intents": {}, "http_requests": [], "winhttp_sessions": [], "com_activations": [] } }, "debug": { "log": "2026-06-29 14:58:59,526 [root] INFO: Date set to: 20260629T16:37:29, timeout set to: 200\n2026-06-29 16:37:29,180 [root] DEBUG: Starting analyzer from: C:\\2_6me6uj\n2026-06-29 16:37:29,181 [root] DEBUG: Storing results at: C:\\xUytmwVfoP\n2026-06-29 16:37:29,182 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\EcXQecBoz\n2026-06-29 16:37:29,182 [root] DEBUG: Python path: C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314\n2026-06-29 16:37:29,183 [root] INFO: analysis running as an admin\n2026-06-29 16:37:29,183 [root] DEBUG: no analysis package configured, picking one for you\n2026-06-29 16:37:29,274 [root] INFO: analysis package selected: \"generic\"\n2026-06-29 16:37:29,275 [root] DEBUG: importing analysis package module: \"modules.packages.generic\"...\n2026-06-29 16:37:29,282 [root] DEBUG: imported analysis package \"generic\"\n2026-06-29 16:37:29,283 [root] DEBUG: initializing analysis package \"generic\"...\n2026-06-29 16:37:29,283 [lib.common.common] INFO: no wrapping\n2026-06-29 16:37:29,284 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-29 16:37:29,285 [root] DEBUG: New location of moved file: C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\n2026-06-29 16:37:29,285 [root] INFO: Analyzer: Package modules.packages.generic does not specify a dll option\n2026-06-29 16:37:29,285 [root] INFO: Analyzer: Package modules.packages.generic does not specify a dll_64 option\n2026-06-29 16:37:29,286 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader option\n2026-06-29 16:37:29,286 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader_64 option\n2026-06-29 16:37:29,306 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-06-29 16:37:29,318 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-06-29 16:37:29,344 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-06-29 16:37:29,488 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-06-29 16:37:29,496 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-06-29 16:37:29,497 [lib.api.screenshot] ERROR: No module named 'PIL'\n2026-06-29 16:37:29,498 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-06-29 16:37:29,501 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-06-29 16:37:29,502 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-06-29 16:37:29,502 [root] DEBUG: attempting to configure 'Browser' from data\n2026-06-29 16:37:29,504 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-06-29 16:37:29,504 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-06-29 16:37:29,507 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-06-29 16:37:29,508 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-06-29 16:37:29,509 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-06-29 16:37:29,509 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-06-29 16:37:29,510 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-06-29 16:37:29,510 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-06-29 16:37:30,279 [modules.auxiliary.digisig] DEBUG: File has an invalid signature\n2026-06-29 16:37:30,280 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-06-29 16:37:30,284 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-06-29 16:37:30,284 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-06-29 16:37:30,284 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-06-29 16:37:30,285 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-06-29 16:37:30,285 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-06-29 16:37:30,291 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 3728)\n2026-06-29 16:37:30,296 [modules.auxiliary.disguise] INFO: Disguising GUID to 66c92be0-096a-4693-b2f4-39ea0ebbe16e\n2026-06-29 16:37:30,297 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-06-29 16:37:30,297 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-06-29 16:37:30,298 [root] DEBUG: attempting to configure 'Human' from data\n2026-06-29 16:37:30,299 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-06-29 16:37:30,299 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-06-29 16:37:30,366 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-06-29 16:37:30,366 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-06-29 16:37:30,369 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-06-29 16:37:30,370 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-06-29 16:37:30,370 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-06-29 16:37:30,380 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2026-06-29 16:37:30,380 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-06-29 16:37:30,381 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-06-29 16:37:30,382 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-06-29 16:37:30,383 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-06-29 16:37:30,383 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-06-29 16:37:30,389 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process\n2026-06-29 16:37:30,390 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-06-29 16:37:36,622 [root] INFO: Restarting WMI Service\n2026-06-29 16:37:38,844 [root] DEBUG: package modules.packages.generic does not support configure, ignoring\n2026-06-29 16:37:38,845 [root] WARNING: configuration error for package modules.packages.generic: error importing data.packages.generic: No module named 'data.packages'\n2026-06-29 16:37:38,846 [lib.core.compound] INFO: C:\\Users\\Rajesh\\AppData\\Local\\Temp already exists, skipping creation\n2026-06-29 16:37:38,848 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\system32\\cmd.exe\" with arguments \"/c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\"\" with pid 4120\n2026-06-29 16:37:39,208 [lib.api.process] INFO: Monitor config for process 4120: C:\\2_6me6uj\\dll\\4120.ini\n2026-06-29 16:37:39,224 [lib.api.process] INFO: 64-bit DLL to inject is C:\\2_6me6uj\\dll\\QpoIZn.dll, loader C:\\2_6me6uj\\bin\\dmvuBXAR.exe\n2026-06-29 16:37:39,246 [root] DEBUG: Loader: Injecting process 4120 (thread 1896) with C:\\2_6me6uj\\dll\\QpoIZn.dll.\n2026-06-29 16:37:39,248 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-06-29 16:37:39,250 [root] DEBUG: Successfully injected DLL C:\\2_6me6uj\\dll\\QpoIZn.dll.\n2026-06-29 16:37:39,253 [lib.api.process] INFO: Injected into 64-bit \n2026-06-29 16:37:41,269 [lib.api.process] INFO: Successfully resumed process with pid 4120\n2026-06-29 16:37:41,480 [root] DEBUG: 4120: Python path set to 'C:\\Users\\Rajesh\\AppData\\Local\\Programs\\Python\\Python314'.\n2026-06-29 16:37:41,484 [root] DEBUG: 4120: Disabling sleep skipping.\n2026-06-29 16:37:41,485 [root] DEBUG: 4120: Dropped file limit defaulting to 100.\n2026-06-29 16:37:41,505 [root] DEBUG: 4120: YaraInit: Compiled 44 rule files\n2026-06-29 16:37:41,510 [root] DEBUG: 4120: YaraInit: Compiled rules saved to file C:\\2_6me6uj\\data\\yara\\capemon.yac\n2026-06-29 16:37:41,563 [root] DEBUG: 4120: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0\n2026-06-29 16:37:41,564 [root] DEBUG: 4120: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a\n2026-06-29 16:37:41,569 [root] DEBUG: 4120: YaraScan hit: FindFixAndRun\n2026-06-29 16:37:41,570 [root] DEBUG: 4120: Monitor initialised: 64-bit capemon loaded in process 4120 at 0x00007FF987A90000, thread 1896, image base 0x00007FF79A450000, stack from 0x0000006F32204000-0x0000006F32300000\n2026-06-29 16:37:41,571 [root] DEBUG: 4120: Commandline: \"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\"\n2026-06-29 16:37:41,587 [root] DEBUG: 4120: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress\n2026-06-29 16:37:41,654 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-06-29 16:37:41,655 [root] DEBUG: 4120: set_hooks: Unable to hook LockResource\n2026-06-29 16:37:41,672 [root] DEBUG: 4120: Hooked 630 out of 631 functions\n2026-06-29 16:37:41,677 [root] DEBUG: 4120: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF79A45C620\n2026-06-29 16:37:41,680 [root] DEBUG: 4120: Syscall hook installed, syscall logging level 1\n2026-06-29 16:37:41,696 [root] DEBUG: 4120: RestoreHeaders: Restored original import table.\n2026-06-29 16:37:41,698 [root] INFO: Loaded monitor into process with pid 4120\n2026-06-29 16:37:41,700 [root] DEBUG: 4120: caller_dispatch: Added region at 0x00007FF79A450000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF79A4693C1, thread 1896).\n2026-06-29 16:37:41,702 [root] DEBUG: 4120: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a\n2026-06-29 16:37:41,712 [root] DEBUG: 4120: ProcessImageBase: Main module image at 0x00007FF79A450000 unmodified (entropy change 0.000000e+00)\n2026-06-29 16:37:41,736 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A6030000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-06-29 16:37:41,738 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A8700000: C:\\Windows\\System32\\bcryptPrimitives (0x83000 bytes).\n2026-06-29 16:37:41,743 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A5B50000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-06-29 16:37:41,763 [root] DEBUG: 4120: DLL loaded at 0x00007FF994050000: C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32 (0x29a000 bytes).\n2026-06-29 16:37:41,767 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A9D30000: C:\\Windows\\System32\\SHCORE (0xad000 bytes).\n2026-06-29 16:37:41,770 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A7A90000: C:\\Windows\\system32\\Wldp (0x2c000 bytes).\n2026-06-29 16:37:41,771 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A6230000: C:\\Windows\\SYSTEM32\\windows.storage (0x790000 bytes).\n2026-06-29 16:37:41,775 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A2720000: C:\\Windows\\system32\\PROPSYS (0xf6000 bytes).\n2026-06-29 16:37:41,788 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A9600000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-06-29 16:37:41,826 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A8050000: C:\\Windows\\system32\\profapi (0x1f000 bytes).\n2026-06-29 16:37:41,935 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A8110000: C:\\Windows\\System32\\CFGMGR32 (0x4e000 bytes).\n2026-06-29 16:37:41,942 [root] DEBUG: 4120: DLL loaded at 0x00007FF993730000: C:\\Windows\\system32\\edputil (0x24000 bytes).\n2026-06-29 16:37:41,990 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A1300000: C:\\Windows\\System32\\Windows.StateRepositoryPS (0x146000 bytes).\n2026-06-29 16:37:42,006 [root] DEBUG: 4120: DLL loaded at 0x00007FF9903B0000: C:\\Windows\\System32\\Windows.UI.AppDefaults (0x4c000 bytes).\n2026-06-29 16:37:42,081 [root] DEBUG: 4120: DLL loaded at 0x00007FF99F680000: C:\\Windows\\system32\\iertutil (0x2b0000 bytes).\n2026-06-29 16:37:42,083 [root] DEBUG: 4120: DLL loaded at 0x00007FF99F650000: C:\\Windows\\system32\\srvcli (0x28000 bytes).\n2026-06-29 16:37:42,084 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A75F0000: C:\\Windows\\system32\\netutils (0xc000 bytes).\n2026-06-29 16:37:42,088 [root] DEBUG: 4120: DLL loaded at 0x00007FF99F930000: C:\\Windows\\system32\\urlmon (0x1eb000 bytes).\n2026-06-29 16:37:42,100 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A7200000: C:\\Windows\\system32\\msvcp110_win (0x8a000 bytes).\n2026-06-29 16:37:42,101 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A35E0000: C:\\Windows\\SYSTEM32\\policymanager (0xa0000 bytes).\n2026-06-29 16:37:42,125 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A5A30000: C:\\Windows\\SYSTEM32\\apphelp (0x90000 bytes).\n2026-06-29 16:37:42,948 [root] DEBUG: 4120: DLL loaded at 0x00007FF99EEA0000: C:\\Windows\\System32\\OneCoreUAPCommonProxyStub (0x798000 bytes).\n2026-06-29 16:37:42,963 [root] DEBUG: 4120: DLL loaded at 0x00007FF9A4DC0000: C:\\Windows\\System32\\wintypes (0x154000 bytes).\n2026-06-29 16:37:42,985 [root] DEBUG: 4120: DLL loaded at 0x00007FF991500000: C:\\Windows\\System32\\RTWorkQ (0x30000 bytes).\n2026-06-29 16:37:42,986 [root] DEBUG: 4120: DLL loaded at 0x00007FF986060000: C:\\Windows\\System32\\mfmp4srcsnk (0x206000 bytes).\n2026-06-29 16:37:43,016 [root] DEBUG: 4120: DLL loaded at 0x00007FF990D80000: C:\\Windows\\System32\\MFPlat (0x1bc000 bytes).\n2026-06-29 16:37:43,118 [root] DEBUG: 4120: NtTerminateProcess hook: Attempting to dump process 4120\n2026-06-29 16:37:43,120 [root] DEBUG: 4120: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching\n2026-06-29 16:37:43,121 [root] DEBUG: 4120: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF79A450000.\n2026-06-29 16:37:43,122 [root] DEBUG: 4120: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-06-29 16:37:43,123 [root] DEBUG: 4120: DumpProcess: Instantiating PeParser with address: 0x00007FF79A450000.\n2026-06-29 16:37:43,124 [root] DEBUG: 4120: DumpProcess: Module entry point VA is 0x00007FF79A468F50.\n2026-06-29 16:37:43,161 [lib.common.results] INFO: Uploading file C:\\xUytmwVfoP\\CAPE\\4120_69823243372329162026 to procdump\\7c4d1031e9b4e2df6c5f9d12568c6ca93d6bcafaef81b4e2a6c1e540e4de07d0; Size is 401920; Max size: 100000000\n2026-06-29 16:37:43,171 [root] DEBUG: 4120: DumpProcess: Module image dump success - dump size 0x62200.\n2026-06-29 16:37:43,206 [root] INFO: Process with pid 4120 has terminated\n2026-06-29 16:37:44,797 [modules.auxiliary.human] INFO: Found button \"recommended settings\", clicking it\n2026-06-29 16:37:48,406 [root] INFO: Process list is empty, terminating analysis\n2026-06-29 16:37:49,420 [root] INFO: Created shutdown mutex\n2026-06-29 16:37:50,446 [root] INFO: Shutting down package\n2026-06-29 16:37:50,446 [root] INFO: Stopping auxiliary modules\n2026-06-29 16:37:50,447 [root] INFO: Stopping auxiliary module: Browser\n2026-06-29 16:37:50,447 [root] INFO: Stopping auxiliary module: Human\n2026-06-29 16:37:51,884 [modules.auxiliary.human] INFO: Found button \"recommended settings\", clicking it\n2026-06-29 16:37:53,904 [root] INFO: Stopping auxiliary module: Screenshots\n2026-06-29 16:37:53,905 [root] INFO: Finishing auxiliary modules\n2026-06-29 16:37:53,906 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-06-29 16:37:53,907 [root] WARNING: Folder at path \"C:\\xUytmwVfoP\\debugger\" does not exist, skipping\n2026-06-29 16:37:53,907 [root] WARNING: Folder at path \"C:\\xUytmwVfoP\\tlsdump\" does not exist, skipping\n2026-06-29 16:37:53,909 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "a0ea374b050d3bede6b74ea69b77fa9d012ebc6617132681d7d5e6e98a600f03", "hosts": [ { "ip": "192.178.183.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "beacons.gcp.gvt2.com", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "142.251.16.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "172.253.157.95", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "151.101.206.172", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 80 ] }, { "ip": "20.190.159.23", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] } ], "domains": [ { "domain": "wmploc.dll", "ip": "" }, { "domain": "beacons.gcp.gvt2.com", "ip": "192.178.183.94" } ], "tcp": [ { "src": "192.168.122.139", "sport": 49769, "dst": "20.190.159.23", "dport": 443, "offset": 24, "time": 0.0 }, { "src": "192.168.122.139", "sport": 49780, "dst": "20.190.159.23", "dport": 443, "offset": 5750, "time": 0.21062016487121582 }, { "src": "192.168.122.139", "sport": 49781, "dst": "151.101.206.172", "dport": 80, "offset": 17808, "time": 0.3143939971923828 }, { "src": "192.168.122.139", "sport": 49782, "dst": "151.101.206.172", "dport": 80, "offset": 36659, "time": 0.5596141815185547 }, { "src": "192.168.122.139", "sport": 49755, "dst": "172.253.157.95", "dport": 443, "offset": 46264, "time": 17.360344171524048 }, { "src": "192.168.122.139", "sport": 49785, "dst": "142.251.168.102", "dport": 443, "offset": 47456, "time": 23.36425805091858 }, { "src": "192.168.122.139", "sport": 49754, "dst": "142.251.16.94", "dport": 443, "offset": 51430, "time": 23.39749503135681 }, { "src": "192.168.122.139", "sport": 49787, "dst": "192.178.183.94", "dport": 443, "offset": 53224, "time": 23.555591106414795 } ], "udp": [ { "src": "192.168.122.139", "sport": 58621, "dst": "192.168.122.1", "dport": 53, "offset": 46017, "time": 12.193662166595459 }, { "src": "192.168.122.139", "sport": 50029, "dst": "192.168.122.1", "dport": 53, "offset": 46912, "time": 23.32943320274353 }, { "src": "192.168.122.139", "sport": 53987, "dst": "192.168.122.1", "dport": 53, "offset": 52752, "time": 23.48100519180298 } ], "icmp": [], "http": [], "dns": [ { "request": "wmploc.dll", "type": "A", "answers": [ { "type": "NXDOMAIN", "data": "" } ], "first_seen": 1782751066.522021 }, { "request": "beacons.gcp.gvt2.com", "type": "A", "answers": [ { "type": "CNAME", "data": "beacons-handoff.gcp.gvt2.com" }, { "type": "A", "data": "192.178.183.94" } ], "first_seen": 1782751077.809364 } ], "smtp": [], "irc": [], "dead_hosts": [] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "stealth_network", "description": "Network activity detected but not expressed in monitor API logs", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "ip": "192.178.183.94" }, { "ip": "142.251.16.94" }, { "ip": "172.253.157.95" }, { "ip": "151.101.206.172" }, { "ip": "20.190.159.23" }, { "domain": "wmploc.dll" }, { "domain": "beacons.gcp.gvt2.com" } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_locale_api", "description": "Queries the computer locale (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 4120, "cid": 62 } ], "new_data": [], "alert": false, "families": [] }, { "name": "antidebug_setunhandledexceptionfilter", "description": "SetUnhandledExceptionFilter detected (possible anti-debug)", "categories": [ "anti-debug" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 4120, "cid": 15 } ], "new_data": [], "alert": false, "families": [] }, { "name": "query_fips_reconnaissance", "description": "Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software", "categories": [ "discovery", "c2" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 4120, "cid": 123 }, { "type": "call", "pid": 4120, "cid": 124 }, { "type": "call", "pid": 4120, "cid": 127 }, { "type": "call", "pid": 4120, "cid": 129 }, { "type": "call", "pid": 4120, "cid": 130 }, { "behavioral_fips_reconnaissance": [ "cmd.exe (PID: 4120) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "cmd.exe (PID: 4120) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "cmd.exe (PID: 4120) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "cmd.exe (PID: 4120) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "cmd.exe (PID: 4120) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'" ] } ], "new_data": [], "alert": false, "families": [] }, { "name": "mountpoints_volume_discovery", "description": "Queries the mount points and then resolves volume paths to enumerate storage devices", "categories": [ "discovery", "ransomware", "wiper" ], "severity": 2, "weight": 1, "confidence": 20, "references": [], "data": [ { "type": "call", "pid": 4120, "cid": 211 }, { "type": "call", "pid": 4120, "cid": 216 }, { "type": "call", "pid": 4120, "cid": 225 }, { "type": "call", "pid": 4120, "cid": 228 }, { "type": "call", "pid": 4120, "cid": 233 }, { "type": "call", "pid": 4120, "cid": 241 }, { "type": "call", "pid": 4120, "cid": 243 }, { "type": "call", "pid": 4120, "cid": 248 } ], "new_data": [], "alert": false, "families": [] }, { "name": "discover_registry_mount_points", "description": "Queries registry mount points to identify historical or connected removable/network drives", "categories": [ "discovery", "ransomware", "wiper" ], "severity": 2, "weight": 1, "confidence": 20, "references": [], "data": [ { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Data" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-100000000000}\\Data" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-10e008000000}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e1e1ae7a-0000-0000-0000-300300000000}\\Data" } ], "new_data": [], "alert": false, "families": [] }, { "name": "process_creation_suspicious_location", "description": "Created a process from a suspicious location", "categories": [ "execution" ], "severity": 3, "weight": 1, "confidence": 20, "references": [], "data": [ { "file": "C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4" }, { "command": "\"C:\\Users\\Rajesh\\AppData\\Local\\Temp\\ssstik.io__jeznions_.mp4\" " }, { "type": "call", "pid": 4120, "cid": 89 } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 2.5, "ttps": [ { "signature": "query_fips_reconnaissance", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "mountpoints_volume_discovery", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "process_creation_suspicious_location", "ttps": [ "T1106" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "discover_registry_mount_points", "ttps": [ "T1082" ], "mbcs": [ "OC0006", "C0002" ] } ], "malstatus": null }